📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access. As of time of publication, no known patched versions are available.
🤖 AI Executive Summary
CVE-2026-33649 is a critical CSRF vulnerability in WWBN AVideo versions up to 26.0 that allows unauthenticated attackers to escalate privileges by silently modifying user group permissions through crafted web pages. The vulnerability exploits the absence of CSRF token validation combined with permissive SameSite cookie settings, enabling privilege escalation to near-admin access when an administrator visits a malicious page. With no patch currently available and active exploits in the wild, this poses an immediate threat to organizations using AVideo for video hosting and content management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 09:03
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WWBN AVideo for internal video platforms, training portals, or content distribution—particularly in government agencies, educational institutions, and large enterprises—face immediate privilege escalation risks. The vulnerability is especially critical for SAMA-regulated financial institutions using AVideo for internal communications, NCA-supervised government entities managing sensitive video content, and healthcare organizations using video conferencing features. Telecom operators (STC, Mobily, Zain) and energy sector organizations (ARAMCO, SEC) deploying AVideo for internal collaboration are at high risk of unauthorized administrative access and data exfiltration.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Education
Energy and Utilities
Telecommunications
Media and Broadcasting
Enterprise IT
🎯 MITRE ATT&CK Techniques
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1548 - Abuse Elevation Control Mechanism
T1539 - Steal Web Session Cookie
T1550.001 - Use Alternate Authentication Material: Application Access Token
T1078.001 - Valid Accounts: Default Accounts
T1078.003 - Valid Accounts: Local Accounts
T1566.002 - Phishing: Spearphishing Link
T1204.001 - User Execution: Malicious Link
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable or restrict access to the `plugin/Permissions/setPermission.json.php` endpoint via WAF rules or network segmentation until patching is available
2. Implement strict CSRF token validation at the application level by adding token checks to all state-changing operations
3. Change session cookie settings from `session.cookie_samesite=None` to `session.cookie_samesite=Strict` in php.ini or application configuration
4. Audit all user group permissions and privilege assignments to identify unauthorized changes
5. Force re-authentication for all admin users and revoke active sessions
COMPENSATING CONTROLS:
6. Deploy WAF rules to block GET requests to permission-modifying endpoints; enforce POST-only with CSRF tokens
7. Implement Content Security Policy (CSP) headers to prevent cross-site request execution
8. Monitor and log all permission modification attempts; alert on suspicious patterns
9. Restrict admin access to trusted IP ranges or VPN-only access
10. Implement rate limiting on authentication and permission endpoints
DETECTION RULES:
- Alert on GET requests to `setPermission.json.php` endpoint
- Monitor for permission changes originating from non-admin user agents or referrer headers
- Track rapid permission escalations for newly created or low-privilege accounts
- Log all session cookie modifications and SameSite policy changes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل أو تقييد الوصول إلى نقطة النهاية `plugin/Permissions/setPermission.json.php` عبر قواعد WAF أو تقسيم الشبكة حتى يتوفر التصحيح
2. تنفيذ التحقق الصارم من رموز CSRF على مستوى التطبيق بإضافة فحوصات الرموز لجميع العمليات التي تغير الحالة
3. تغيير إعدادات ملفات تعريف الجلسة من `session.cookie_samesite=None` إلى `session.cookie_samesite=Strict` في php.ini أو إعدادات التطبيق
4. تدقيق جميع صلاحيات مجموعات المستخدمين والتعيينات الإدارية لتحديد التغييرات غير المصرح بها
5. فرض إعادة المصادقة لجميع مستخدمي المسؤول وإلغاء الجلسات النشطة
الضوابط التعويضية:
6. نشر قواعد WAF لحظر طلبات GET إلى نقاط نهاية تعديل الأذونات؛ فرض POST فقط مع رموز CSRF
7. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ الطلبات عبر المواقع
8. مراقبة وتسجيل جميع محاولات تعديل الأذونات؛ التنبيه على الأنماط المريبة
9. تقييد وصول المسؤول إلى نطاقات IP الموثوقة أو الوصول عبر VPN فقط
10. تنفيذ تحديد معدل على نقاط نهاية المصادقة والأذونات
قواعد الكشف:
- التنبيه على طلبات GET إلى نقطة النهاية `setPermission.json.php`
- مراقبة تغييرات الأذونات الناشئة من وكلاء المستخدم غير الإداريين أو رؤوس المحيل
- تتبع تصعيد الأذونات السريعة للحسابات المنشأة حديثاً أو منخفضة الامتياز
- تسجيل جميع تعديلات ملفات تعريف جلسة العمل وتغييرات سياسة SameSite
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (CSRF protection required)
ECC 2024 A.5.2.1 - User Registration and Access Management (privilege escalation prevention)
ECC 2024 A.5.3.1 - Password Management (session security and cookie handling)
ECC 2024 A.8.2.1 - Information Security Event Logging (audit trail for permission changes)
ECC 2024 A.12.4.1 - Event Logging (detection and monitoring of unauthorized access attempts)
🔵 SAMA CSF
SAMA CSF 1.1 - Governance and Risk Management (vulnerability management)
SAMA CSF 2.1 - Access Control (CSRF protection and privilege management)
SAMA CSF 2.2 - Authentication and Authorization (session security)
SAMA CSF 3.1 - Data Protection (preventing unauthorized privilege escalation)
SAMA CSF 4.1 - Monitoring and Detection (logging and alerting on suspicious activities)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (CSRF token implementation)
ISO 27001:2022 A.5.16 - Authentication (session cookie security)
ISO 27001:2022 A.5.17 - Access Rights Review (privilege escalation detection)
ISO 27001:2022 A.8.15 - Logging (audit trails for permission modifications)
ISO 27001:2022 A.8.16 - Monitoring Activities (detection of unauthorized access)
🟣 PCI DSS v4.0.1
PCI DSS 6.5.9 - Protection Against CSRF Attacks (if payment data accessible)
PCI DSS 7.1 - Limit Access to System Components (privilege escalation prevention)
PCI DSS 10.2 - Implement Automated Audit Trails (logging permission changes)
📦 Affected Products / CPE 1 entries
wwbn:avideo