WWBN AVideo, an open source video platform, has a CSRF vulnerability in versions 29.0 and prior affecting the configuration update endpoint (`objects/configurationUpdate.json.php` or `/updateConfig`). This endpoint persists numerous global site settings from POST data but only checks if the user is an admin without enforcing CSRF protections such as a global token or Origin/Referer header validation. Because the platform sets session cookies with SameSite=None to allow cross-origin iframe embedding, an attacker can cause a logged-in administrator's browser to auto-submit a malicious cross-origin POST request. This request can overwrite sensitive site configurations including encoder URL, SMTP credentials, site HTML head content, logo, favicon, and contact email. The vulnerability is tracked as CWE-352 and has a CVSS 3.1 score of 8.3 (high severity). A code commit fixing the issue is identified, but no formal patch or vendor advisory is provided in the input.

Successful exploitation allows an attacker to modify critical global site settings by leveraging a logged-in administrator's browser to perform unauthorized configuration changes. This can lead to compromise of site functionality, disclosure or manipulation of sensitive information such as SMTP credentials, and defacement or redirection via changes to site branding and HTML content. The vulnerability requires the victim to be an authenticated administrator who visits a malicious page, but no additional privileges or complex conditions are needed.

A fix is available as indicated by the referenced commit f9492f5e6123dff0292d5bb3164fde7665dc36b4, which presumably adds proper CSRF protections to the configuration update endpoint. Since no official patch release or vendor advisory is provided in the data, users should apply this fix from the source repository or update to a version including this commit. Until patched, administrators should avoid visiting untrusted sites while logged in to AVideo to reduce risk of CSRF exploitation.