WWBN AVideo is an open-source video platform that includes an administrative endpoint, objects/emailAllUsers.json.php, which allows sending HTML emails to all registered users. In versions 26.0 and prior, this endpoint verifies that the requester has an active admin session but does not implement CSRF token validation. The platform sets session cookies with the SameSite attribute set to None, which means cookies are sent with cross-origin requests. An attacker can exploit this by luring an authenticated administrator to a malicious website that issues a cross-origin POST request to the vulnerable endpoint. Because the admin's session cookie is automatically included, the request is authenticated, allowing the attacker to send arbitrary HTML emails to every user on the platform. These emails appear to originate from the legitimate SMTP address configured on the instance, potentially enabling phishing, social engineering, or malware distribution campaigns. The vulnerability does not affect confidentiality or availability directly but compromises integrity by allowing unauthorized email content injection. No patches or fixes are publicly available at the time of publication, increasing the risk window. The CVSS 3.1 score is 6.5, indicating medium severity, with attack vector network, low attack complexity, no privileges required, but user interaction needed (admin visiting malicious page).

The primary impact of this vulnerability is on the integrity of communications within organizations using WWBN AVideo. An attacker can send arbitrary HTML emails to all registered users, potentially leading to widespread phishing attacks, malware distribution, or social engineering campaigns that appear to come from a trusted internal source. This can erode user trust, lead to credential theft, or facilitate further compromise of user systems. Since the emails are sent from the legitimate SMTP address, standard email security controls like SPF, DKIM, and DMARC may not detect the malicious emails as spoofed, increasing the likelihood of successful attacks. Although the vulnerability does not directly affect system availability or confidentiality, the downstream effects of successful phishing or malware campaigns can be severe, including data breaches or ransomware infections. Organizations with large user bases on AVideo platforms are at higher risk due to the scale of potential impact. The lack of available patches prolongs exposure, and the requirement for an admin to visit a malicious page means social engineering is a key exploitation vector.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict administrative access to trusted networks or VPNs to reduce the risk of admins visiting malicious sites while authenticated. 2) Educate administrators about the risks of visiting untrusted websites while logged into the AVideo platform. 3) Implement web application firewall (WAF) rules to detect and block suspicious POST requests to the emailAllUsers.json.php endpoint, especially those originating from cross-origin sources. 4) Consider temporarily disabling or restricting the emailAllUsers functionality if feasible. 5) Monitor outgoing emails for unusual patterns or content that could indicate exploitation. 6) Review and tighten session cookie settings, such as changing SameSite attribute to Lax or Strict if compatible with application functionality, to prevent cookies from being sent cross-origin. 7) Employ multi-factor authentication (MFA) for admin accounts to reduce the risk of session hijacking. 8) Stay alert for vendor updates and apply patches promptly once available. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and platform behavior.