CVE-2026-33512
HIGH7.5EPSS 0.05%AVideo has an unauthenticated decrypt oracle leaking any ciphertext
Description
### Summary The API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Severity: High. ### Details - Entry: `plugin/API/get.json.php` is unauthenticated. - Handler: `plugin/API/API.php` `get_api_decryptString()` (lines ~5945–5966): ```php $string = decryptString($_REQUEST['string']); return new ApiObject($string, empty($string)); ``` No APISecret or user check occurs before decrypting. - Public ciphertext source: `view/url2Embed.json.php` returns `playLink`/`playEmbedLink` (`encryptString(json_encode(...))`) to any caller. ### PoC 1. Obtain ciphertext: ``` GET /view/url2Embed.json.php?url=https://example.com/video.mp4 ``` Copy `playLink`. 2. Decrypt without auth: ``` POST /plugin/API/get.json.php?APIName=decryptString Content-Type: application/x-www-form-urlencoded string=<playLink ciphertext> ``` Response contains the plaintext JSON (videoLink, title, users_id, etc.). ### Impact - Any encrypted payload produced by the platform can be decrypted by anyone. - Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed. ### Mitigation - Require API secret or authenticated/authorized user for `decryptString`, or remove the endpoint. - Prefer one-way signatures (HMAC) instead of exposing generic decryption. - Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.
Affected packages (1)
- Packagist/wwbn/avideofrom 0, <= 26.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |