📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the `videos/` directory, `import.json.php` performs no directory restriction. This allows an authenticated user with upload permission to: (1) steal any other user's private video files by importing them into their own account, (2) read `.txt`/`.html`/`.htm` files adjacent to any `.mp4` file on the filesystem, and (3) delete `.mp4` and adjacent text files if writable by the web server process. Commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 contains a patch.
🤖 AI Executive Summary
CVE-2026-33493 is a path traversal vulnerability in WWBN AVideo versions up to 26.0 affecting the import.json.php endpoint. An authenticated user with upload permissions can exploit insufficient input validation to read, steal, or delete files outside the intended videos directory, including private videos and configuration files. With a CVSS score of 7.1 and publicly available exploits, this poses a significant risk to organizations hosting AVideo instances.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 10, 2026 01:33
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WWBN AVideo for internal video management, training platforms, or media distribution (particularly in government agencies, educational institutions, and large enterprises) face significant risk. The vulnerability enables authenticated insiders or compromised accounts to exfiltrate sensitive video content, access configuration files containing credentials, and disrupt service availability. Government entities under NCA oversight and organizations handling classified or confidential video materials are at highest risk. Media and entertainment companies, educational institutions, and corporate training departments using AVideo are also vulnerable.
🏢 Affected Saudi Sectors
Government and Public Administration
Education and Training
Media and Entertainment
Corporate Training and HR
Healthcare (for video-based training/telemedicine)
Large Enterprises with internal video platforms
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WWBN AVideo instances in your environment running versions ≤26.0
2. Restrict access to import.json.php endpoint to trusted networks only via WAF/firewall rules
3. Review audit logs for suspicious import.json.php requests with unusual fileURI parameters (containing ../ or absolute paths)
4. Audit user accounts with upload permissions and disable unnecessary accounts
PATCHING:
1. Apply patch from commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 immediately
2. Update to AVideo version 26.1 or later when available
3. Test patch in staging environment before production deployment
COMPENSATING CONTROLS (if patching delayed):
1. Implement WAF rules to block import.json.php requests containing path traversal patterns (../, ..\, encoded variants)
2. Apply principle of least privilege: remove upload permissions from non-essential user accounts
3. Configure web server to run with minimal file system permissions
4. Implement file integrity monitoring on configuration files and sensitive directories
DETECTION:
1. Monitor POST requests to /objects/import.json.php for fileURI parameters containing: ../, ..\, %2e%2e, encoded slashes
2. Alert on import.json.php requests from users without recent legitimate upload activity
3. Log and review all file access outside /videos/ directory by web server process
4. Monitor for unusual file deletion patterns in video directories
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات WWBN AVideo في بيئتك التي تعمل بالإصدارات ≤26.0
2. قيد الوصول إلى نقطة نهاية import.json.php على الشبكات الموثوقة فقط عبر قواعد WAF/جدار الحماية
3. راجع سجلات التدقيق للطلبات المريبة إلى import.json.php بمعاملات fileURI غير عادية (تحتوي على ../ أو مسارات مطلقة)
4. تدقيق حسابات المستخدمين بصلاحيات التحميل وتعطيل الحسابات غير الضرورية
التصحيح:
1. طبق التصحيح من commit e110ff542acdd7e3b81bdd02b8402b9f6a61ad78 فورًا
2. حدّث إلى إصدار AVideo 26.1 أو أحدث عند توفره
3. اختبر التصحيح في بيئة التجريب قبل نشره في الإنتاج
الضوابط البديلة (إذا تأخر التصحيح):
1. طبق قواعد WAF لحظر طلبات import.json.php التي تحتوي على أنماط اجتياز المسار (../, ..\, المتغيرات المشفرة)
2. طبق مبدأ أقل امتياز: أزل صلاحيات التحميل من حسابات المستخدمين غير الأساسية
3. كوّن خادم الويب للعمل بأقل صلاحيات نظام الملفات
4. طبق مراقبة سلامة الملفات على ملفات الإعدادات والدلائل الحساسة
الكشف:
1. راقب طلبات POST إلى /objects/import.json.php لمعاملات fileURI تحتوي على: ../, ..\, %2e%2e, الشرطات المشفرة
2. أصدر تنبيهات لطلبات import.json.php من المستخدمين بدون نشاط تحميل شرعي حديث
3. سجل وراجع جميع الوصول إلى الملفات خارج دليل /videos/ بواسطة عملية خادم الويب
4. راقب أنماط حذف الملفات غير العادية في دلائل الفيديو
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.8.2.1 - Classification of information
A.8.2.3 - Handling of assets
A.12.2.1 - Restrictions on software installation
A.12.4.1 - Event logging
A.12.4.3 - Protection of log information
A.14.2.1 - Secure development policy
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.AC-3 - Access is managed based on the principle of least privilege
PR.AC-4 - Access rights and privileges are managed
PR.DS-2 - Data in transit is protected
PR.DS-5 - Access to data-at-rest is controlled
DE.CM-1 - The network is monitored to detect potential cybersecurity events
DE.CM-3 - Personnel activity is monitored to detect potential cybersecurity events
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
5.1 - Policies for information security
5.3 - Segregation of duties
6.1 - Screening
6.2 - Terms and conditions of employment
8.1 - Prior to employment
8.2 - During employment
8.3 - Termination and change of employment
9.1 - Physical access control
9.2 - Secure areas
9.4 - Physical and environmental security
10.1 - User endpoint devices
10.2 - Privileged access rights
10.3 - Information access restriction
12.4 - Logging
14.2 - Secure development policy
📦 Affected Products / CPE 1 entries
wwbn:avideo