WWBN AVideo is an open source video platform that manages video content and categorization with user group-based access controls. In versions up to and including 26.0, the categories.json.php endpoint, which provides the category listing API, contains an incorrect authorization vulnerability (CWE-863). Specifically, when a request is made without the ?user= parameter, the endpoint completely skips filtering categories by user group, exposing all non-private categories regardless of access restrictions. When the ?user= parameter is supplied, a type confusion bug causes the filtering logic to use the admin user's (user_id=1) group memberships instead of the specified user's, effectively bypassing intended access controls. This results in unauthorized users being able to view categories restricted to specific user groups. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The issue was identified and fixed in commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9. The CVSS 3.1 base score is 5.3, reflecting a medium severity due to the confidentiality impact without integrity or availability consequences. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of video category information that should be restricted to certain user groups. This can lead to leakage of sensitive or proprietary content categories, potentially exposing confidential business information or private user data. Organizations relying on AVideo for internal or restricted video sharing may face privacy violations and compliance risks. Although the vulnerability does not allow modification or deletion of data, the exposure of restricted categories can aid attackers in reconnaissance or social engineering attacks. The lack of authentication requirement and remote exploitability increases the risk of widespread unauthorized access. However, since only category metadata is exposed and not the actual video content, the impact is somewhat limited but still significant for privacy-sensitive deployments.

Organizations using WWBN AVideo versions 26.0 or earlier should immediately upgrade to a version that includes the fix from commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 or later. If upgrading is not immediately possible, administrators should restrict access to the categories.json.php endpoint via network controls such as firewalls or VPNs to trusted users only. Additionally, auditing access logs for unusual or unauthorized requests to this endpoint can help detect exploitation attempts. Developers and administrators should review user group access control implementations across all API endpoints to ensure proper enforcement. Applying the principle of least privilege to user groups and segregating sensitive content can reduce exposure. Regularly monitoring WWBN security advisories for updates and patches is also recommended.