AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session.
Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more.
The session cookie configuration in objects/include_config.php at line 135 explicitly weakens the default browser protections:
// objects/include_config.php:135
ini_set('session.cookie_samesite', 'None');
This means cookies are attached to all cross-origin requests, making CSRF attacks trivial.
The save endpoint in admin/save.json.php directly processes POST data without any token verification:
// admin/save.json.php
$pluginName = $_POST['pluginName'];
$pluginValues = $_POST;
// ...
$pluginDO->$key = $pluginValues[$key];
$p->setObject_data(json_encode($pluginDO));
$p->save();
The plugins table is explicitly exempted from security checks in objects/Object.php at line 529:
// objects/Object.php:529
static function ignoreTableSecurityCheck() {
return ['plugins', /* ... other tables ... */];
}
Even the ORM-level protections that exist for other tables do not apply to plugin configuration writes.
Host the following HTML on an attacker-controlled domain. When a logged-in AVideo administrator visits this page, their PayPal receiver email is silently changed to the attacker's address:
<!DOCTYPE html>
<html>
<head><title>Loading...</title></head>...
Exploitability
AV:NAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:N8.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N