WWBN AVideo versions up to 29.0 contain a missing authentication vulnerability (CWE-306) in the objects/users.json.php endpoint. Two unauthenticated paths allow disclosure of user account data: one path uses the isCompany parameter to bypass admin checks by setting $ignoreAdmin=true for non-admin and unauthenticated callers, defeating the intended admin-only restriction in User::getAllUsers()/User::getTotalUsers(). The second path accepts a users_id parameter and calls User::getUserFromID() without permission verification, enabling retrieval of individual user details. Both paths return sensitive user attributes and total account counts. A code commit has been identified that addresses this issue, but no official patch or remediation guidance is currently available.

The vulnerability allows unauthenticated attackers to obtain confidential user information including user IDs, display names, channel URLs, photos, backgrounds, and account status. This exposure compromises user privacy and could facilitate further targeted attacks or social engineering. There is no indication of impact on integrity or availability. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. A code commit (d9cdc702481a626b15f814f6093f1e2a9c20d375) reportedly fixes the issue, but no official patch or vendor advisory is currently available. Users should monitor WWBN communications for an official update and apply it once released. Until then, restrict access to the vulnerable endpoints if possible or implement additional access controls to prevent unauthenticated access.