📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
🤖 AI Executive Summary
WWBN AVideo versions up to 26.0 contain a critical SQL injection vulnerability in the getLike() method where the videos_id parameter is directly concatenated into SQL queries without proper parameterization. Despite using prepared statements for user IDs, the unparameterized videos_id allows attackers to inject arbitrary SQL commands. This vulnerability has a publicly available exploit and affects organizations using AVideo for video hosting and streaming services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 05:17
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations operating video streaming platforms, educational institutions using AVideo for e-learning content delivery, and media companies are at significant risk. Government entities and healthcare organizations utilizing AVideo for internal video communications could face data breaches. Telecom operators (STC, Mobily, Zain) offering video services and financial institutions using video conferencing built on AVideo are particularly vulnerable. The vulnerability enables unauthorized database access, data exfiltration, authentication bypass, and potential lateral movement within organizational networks.
🏢 Affected Saudi Sectors
Media and Broadcasting
Education and E-Learning
Telecommunications
Government and Public Sector
Healthcare
Financial Services
Hospitality and Tourism
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.6
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of WWBN AVideo running versions 26.0 and earlier in your environment
2. Isolate affected systems from production networks if immediate patching is not possible
3. Review access logs for suspicious SQL patterns in videos_id parameters (look for SQL keywords: UNION, SELECT, DROP, INSERT, UPDATE)
4. Implement Web Application Firewall (WAF) rules to block SQL injection attempts targeting the like.php endpoint
PATCHING GUIDANCE:
1. Upgrade WWBN AVideo to version 26.1 or later immediately (commit 0215d3c4f1ee748b8880254967b51784b8ac4080 or newer)
2. Apply patches during maintenance windows with database backups
3. Test patches in staging environment before production deployment
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement input validation: whitelist numeric-only values for videos_id parameter
2. Deploy WAF rules: block requests containing SQL metacharacters in videos_id (quotes, semicolons, dashes, asterisks)
3. Enable database query logging and monitoring for anomalous SQL patterns
4. Restrict database user permissions to minimum required privileges
5. Implement rate limiting on like.php endpoint to reduce exploitation window
DETECTION RULES:
1. Monitor HTTP requests to /objects/like.php for videos_id parameters containing: ' OR ' OR 1=1 -- UNION SELECT DROP INSERT UPDATE
2. Alert on database error messages in application logs containing SQL syntax errors
3. Track unusual database queries from AVideo application user account
4. Monitor for multiple failed authentication attempts following like.php requests
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ WWBN AVideo التي تعمل بالإصدار 26.0 وما قبله في بيئتك
2. عزل الأنظمة المتأثرة عن شبكات الإنتاج إذا لم يكن الإصلاح الفوري ممكناً
3. مراجعة سجلات الوصول للأنماط المريبة في معاملات videos_id (ابحث عن كلمات SQL: UNION و SELECT و DROP و INSERT و UPDATE)
4. تطبيق قواعد جدار الحماية لتطبيقات الويب لحظر محاولات حقن SQL الموجهة لنقطة نهاية like.php
إرشادات التصحيح:
1. ترقية WWBN AVideo إلى الإصدار 26.1 أو أحدث فوراً
2. تطبيق التصحيحات خلال نوافذ الصيانة مع نسخ احتياطية من قاعدة البيانات
3. اختبار التصحيحات في بيئة التطوير قبل نشرها في الإنتاج
الضوابط البديلة (إذا تأخر الإصلاح الفوري):
1. تطبيق التحقق من المدخلات: السماح فقط بالقيم الرقمية لمعامل videos_id
2. نشر قواعد جدار الحماية: حظر الطلبات التي تحتوي على أحرف SQL في videos_id
3. تفعيل تسجيل مراقبة استعلامات قاعدة البيانات
4. تقييد صلاحيات مستخدم قاعدة البيانات للحد الأدنى المطلوب
5. تطبيق تحديد معدل على نقطة نهاية like.php
قواعد الكشف:
1. مراقبة طلبات HTTP إلى /objects/like.php للكشف عن معاملات videos_id تحتوي على أنماط SQL
2. التنبيه على رسائل أخطاء قاعدة البيانات في سجلات التطبيق
3. تتبع استعلامات قاعدة البيانات غير العادية من حساب مستخدم AVideo
4. مراقبة محاولات المصادقة الفاشلة المتعددة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Input validation and output encoding controls
5.2.1 - Secure coding practices and vulnerability prevention
5.3.1 - Security testing and vulnerability assessment
6.1.1 - Patch and vulnerability management
6.2.1 - Incident detection and response
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.DS-6 - Data protection and secure development practices
PR.IP-3 - Secure software development and patch management
DE.CM-1 - Detection and monitoring of anomalous activities
RS.RP-1 - Response planning and incident management
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.12.6.1 - Management of technical vulnerabilities
A.12.2.1 - Monitoring and logging of access
A.16.1.5 - Response to information security incidents
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws prevention
6.2 - Security patches and updates
10.2 - Logging and monitoring of access
11.2 - Vulnerability scanning and assessment
📦 Affected Products / CPE 1 entries
wwbn:avideo