WWBN AVideo versions <= 29.0 contain a vulnerability in the CloneSite plugin where the local shared secret key (myKey) is exposed in error messages returned by cloneClient.json.php on unauthenticated requests. The key is derived as md5(systemRootPath + salt) and is intended to authenticate CloneSite federation or backup operations. Because the error message interpolates this key before terminating the request, an attacker can retrieve it without authentication. Possession of this key allows the attacker to impersonate the victim to the remote cloneServer.json.php endpoint, enabling them to trigger a mysqldump of the remote database, which is then stored in a publicly accessible directory. A fix has been committed (commit e6566f56a28f4556b2a0a09d03717a719dcb49da), but no official patch or vendor advisory is provided in the data.

The vulnerability allows unauthenticated attackers to obtain a sensitive authentication key used for CloneSite federation. With this key, attackers can impersonate the victim to remote CloneSite servers and cause a full database dump to be written to a public directory, potentially exposing all database contents. This leads to a high confidentiality impact but does not affect integrity or availability directly. There are no known exploits in the wild reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. A code commit addressing the issue exists, but no official patch or advisory is provided in the available data. Until an official fix is released, restrict access to the affected cloneClient.json.php endpoint and avoid exposing CloneSite federation URLs publicly. Monitor vendor channels for an official update and apply it promptly once available.