Vulnerabilities ›

CVE-2020-37173

High ⚡ Exploit Available

CWE-359 — Weakness Type

                    Published: Feb 11, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.

🤖 AI Executive Summary

AVideo Platform 8.1 contains a critical information disclosure vulnerability in the playlistsFromUser.json.php endpoint that allows unauthenticated attackers to enumerate and extract sensitive user data including email addresses, password hashes, and administrative privileges through parameter manipulation. This vulnerability poses significant risk to organizations using AVideo for content management and distribution, particularly those handling sensitive media or user authentication. Exploitation is straightforward and publicly available exploits exist, making immediate patching essential.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 12:38

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using AVideo Platform 8.1 for media distribution, educational content management, or internal communications face significant risk. Most vulnerable sectors include: (1) Government agencies and ministries using AVideo for internal training and communications; (2) Educational institutions (universities, technical colleges) relying on AVideo for e-learning platforms; (3) Media and broadcasting companies using AVideo for content management; (4) Healthcare organizations using video for telemedicine or training; (5) Large enterprises with internal video platforms. The vulnerability enables attackers to harvest administrative credentials, potentially leading to complete platform compromise, unauthorized content access, and lateral movement into organizational networks.

🏢 Affected Saudi Sectors

Government and Public Administration Education and Universities Healthcare and Medical Institutions Media and Broadcasting Telecommunications Large Enterprises with Internal Communications Financial Services (if using for internal training)

🎯 MITRE ATT&CK Techniques

T1087 - Account Discovery T1589 - Gather Victim Identity Information T1592 - Gather Victim Host Information T1526 - Enumerate External Targets T1040 - Network Sniffing T1110 - Brute Force (credential enumeration) T1078 - Valid Accounts (using harvested credentials)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of AVideo Platform 8.1 in your environment using network scanning tools

2. Restrict network access to the playlistsFromUser.json.php endpoint using WAF rules or firewall policies

3. Implement IP whitelisting for legitimate API consumers

4. Monitor access logs for suspicious enumeration patterns (multiple sequential user_id requests)



PATCHING:

1. Upgrade AVideo Platform to version 8.2 or later immediately

2. If immediate upgrade is not possible, apply vendor security patches

3. Test patches in non-production environment before deployment

4. Verify patch effectiveness by attempting to access playlistsFromUser.json.php with arbitrary user_id values



COMPENSATING CONTROLS (if patch unavailable):

1. Disable or remove the playlistsFromUser.json.php endpoint if not required

2. Implement authentication requirements for all API endpoints

3. Apply rate limiting to API requests

4. Implement request validation to reject suspicious user_id parameters



DETECTION:

1. Monitor for HTTP requests to playlistsFromUser.json.php with varying user_id parameters

2. Alert on sequences of requests with incrementing or random user_id values

3. Log and review all API access to user enumeration endpoints

4. Implement SIEM rules: (source_ip != whitelist) AND (endpoint = playlistsFromUser.json.php) AND (request_count > 5 in 5min)

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نسخ منصة AVideo الإصدار 8.1 في بيئتك باستخدام أدوات المسح الشبكي

2. تقييد الوصول الشبكي إلى نقطة النهاية playlistsFromUser.json.php باستخدام قواعد WAF أو سياسات جدار الحماية

3. تطبيق القائمة البيضاء للعناوين IP للمستهلكين الشرعيين للواجهة

4. مراقبة سجلات الوصول للأنماط المريبة في التعداد (طلبات user_id متسلسلة متعددة)

التصحيح:

1. ترقية منصة AVideo إلى الإصدار 8.2 أو أحدث فوراً

2. إذا لم يكن الترقية الفورية ممكنة، طبق تصحيحات الأمان من المورد

3. اختبر التصحيحات في بيئة غير الإنتاج قبل النشر

4. تحقق من فعالية التصحيح بمحاولة الوصول إلى playlistsFromUser.json.php بقيم user_id عشوائية

الضوابط البديلة (إذا لم يكن التصحيح متاحاً):

1. تعطيل أو إزالة نقطة النهاية playlistsFromUser.json.php إذا لم تكن مطلوبة

2. تطبيق متطلبات المصادقة لجميع نقاط نهاية الواجهة

3. تطبيق تحديد معدل الطلبات على طلبات الواجهة

4. تطبيق التحقق من صحة الطلب لرفض معاملات user_id المريبة

الكشف:

1. مراقبة طلبات HTTP إلى playlistsFromUser.json.php بمعاملات user_id متغيرة

2. التنبيه على تسلسلات الطلبات بقيم user_id متزايدة أو عشوائية

3. تسجيل ومراجعة جميع الوصول إلى نقاط نهاية تعداد المستخدمين

4. قواعد SIEM: (source_ip != whitelist) AND (endpoint = playlistsFromUser.json.php) AND (request_count > 5 in 5min)

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.2 - Access Control and User Management A.7.1.1 - Cryptography and Password Protection A.8.2.1 - System and Communications Protection A.8.2.3 - Information System Monitoring

🔵 SAMA CSF

ID.AM-2: Software, platforms, and applications within the organization are inventoried PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited PR.DS-1: Data-at-rest is protected DE.CM-1: The organization is aware of real-time information and logs of information system components and the network RS.MI-2: Incidents are mitigated

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.6.1.2 - Information security roles and responsibilities A.8.1.1 - User endpoint devices A.8.2.1 - User authentication A.8.2.3 - Management of privileged access rights A.8.3.1 - Information access restriction A.12.4.1 - Event logging

🟣 PCI DSS v4.0.1

Requirement 1.1 - Firewall configuration standards Requirement 2.1 - Default security parameters Requirement 6.2 - Security patches and updates Requirement 8.1 - User identification and authentication Requirement 10.2 - Automated audit trails

🔗 References & Sources 4

🔗

https://avideo.com

disclosure@vulncheck.com

Product

🔗

https://github.com/WWBN/AVideo

disclosure@vulncheck.com

Product

🔗

https://www.exploit-db.com/exploits/47997

disclosure@vulncheck.com

Exploit Third Party Advisory VDB Entry

🔗

https://www.vulncheck.com/advisories/avideo-platform-information-disclosure-user-enumer...

disclosure@vulncheck.com

Third Party Advisory

📦 Affected Products / CPE 1 entries

wwbn:avideo:8.1

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-359

EPSS0.09%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-02-11

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-359

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2020-37173

💬 Comments

Introduce Yourself

Sign In Required