CVE-2026-33492

{"id": "CVE-2026-33492", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}]}, "published": "2026-03-23T16:16:49.257", "references": [{"url": "https://github.com/WWBN/AVideo/commit/5647a94d79bf69a972a86653fe02144079948785", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n '_session_start()' de AVideo acepta IDs de sesi\u00f3n arbitrarios a trav\u00e9s del par\u00e1metro GET 'PHPSESSID' y los establece como la sesi\u00f3n PHP activa. Existe un bypass de regeneraci\u00f3n de sesi\u00f3n para endpoints espec\u00edficos en la lista negra cuando la solicitud se origina desde el mismo dominio. Combinado con la regeneraci\u00f3n de sesi\u00f3n expl\u00edcitamente deshabilitada en 'User::login()', esto permite un ataque cl\u00e1sico de fijaci\u00f3n de sesi\u00f3n donde un atacante puede fijar el ID de sesi\u00f3n de una v\u00edctima antes de la autenticaci\u00f3n y luego secuestrar la sesi\u00f3n autenticada. El commit 5647a94d79bf69a972a86653fe02144079948785 contiene un parche."}], "lastModified": "2026-03-24T17:47:58.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}