In WWBN AVideo versions up to 29.0, the OAuth login process in plugin/MobileManager/oauth2.php issues an HTTP 302 redirect containing the user's email and a stored password hash in the query string. The stored hash is derived as md5(hash("whirlpool", sha1(password))) and is read directly from the users table. The login endpoint objects/login.json.php accepts an encodedPass=1 flag that bypasses hashing and compares the supplied value directly to the stored hash, making the hash functionally equivalent to a plaintext password. Exposure of this URL via server logs, referrer leakage, or browser history enables attackers to fully compromise user accounts. A code commit (977cd6930a97571a26da4239e25c8096dd4ecbc1) contains a fix for this issue.

An attacker who obtains the redirect URL containing the sensitive password hash can fully take over the victim's account, including accounts with administrative privileges. This leads to complete compromise of user accounts without needing to know the actual plaintext password. The vulnerability impacts confidentiality and integrity of user accounts but does not affect availability. The CVSS v3.1 base score is 6.8 (medium severity), reflecting network attack vector, high complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity.

Patch status is not yet confirmed — no official fix or vendor advisory is provided in the input data. However, a code commit (977cd6930a97571a26da4239e25c8096dd4ecbc1) reportedly contains a fix. Users should verify if this fix is included in versions later than 29.0 and upgrade accordingly. Until patched, avoid exposing sensitive information in URLs and consider monitoring and restricting access to server logs and referrer data that may contain such URLs.