The plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets session.cookie_samesite=None on session cookies. This allows an unauthenticated attacker to craft a page with <img> tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access.
The root cause is a combination of three issues:
1. $_REQUEST used instead of $_POST (accepts GET parameters):
plugin/Permissions/setPermission.json.php:14-24:
$intvalList = array('users_groups_id','plugins_id','type','isEnabled');
foreach ($intvalList as $value) {
if($_REQUEST[$value]==='true'){
$_REQUEST[$value] = 1;
}else{
$_REQUEST[$value] = intval($_REQUEST[$value]);
}
}
$obj = new stdClass();
$obj->id = Permissions::setPermission($_REQUEST['users_groups_id'], $_REQUEST['plugins_id'], $_REQUEST['type'], $_REQUEST['isEnabled']);
The only authorization check is User::isAdmin() at line 10 — there is no CSRF token validation via isGlobalTokenValid().
2. Session cookies set to SameSite=None:
objects/include_config.php:134-141:
if ($isHTTPS) {
// SameSite=None is intentional: AVideo supports cross-origin iframe embedding
ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', '1');
}
This means the admin's session cookie is sent on cross-origin requests, including those initiated by <img src="..."> tags on attacker-controlled pages.
3. The codebase's own security model requires CSRF tokens on state-mutating endpoints:
The comment at include_config.php:137-138 states: "All state-mutating endpoints that are vulnerable to CSRF must instead enforce a short-lived globalToken (verifyToken)." Other endpoints like saveSort.json.php and...
Exploitability
AV:NAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:N8.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N