CVE-2021-21286
Authorization Bypass in AVideo Platform
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2 there is an authorization bypass vulnerability which enables an ordinary user to get admin control. This is fixed in version 10.2. All queries now remove the pass hash and the recoverPass hash.
AVideo Platform es una plataforma de Audio y Video de código abierto. Es similar a un YouTube auto-hosteado. En AVideo Platform versiones anteriores a 10.2, se presenta una vulnerabilidad de omisión de autorización que permite a un usuario común obtener el control de administrador. Esto es corregido en la versión 10.2. Todas las consultas ahora eliminan el hash pass y el hash recoveryPass
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-12-22 CVE Reserved
- 2021-02-01 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/WWBN/AVideo/security/advisories/GHSA-xq8j-fhg5-hr39 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://avideo.tube | 2021-02-05 |