Lucene search
+L

4 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:40 p.m.11 views

CVE-2026-43877

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

5.4CVSS5.5AI score0.00121EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/11 8:34 p.m.35 views

CVE-2026-43877 WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

5.4CVSS0.00121EPSS
Exploits0References2
CVE
CVE
added 2026/05/11 8:34 p.m.14 views

CVE-2026-43877

CVE-2026-43877 (WWBN/AVideo) : CSRF in objects/userSavePhoto.php allows a logged‑in user’s profile photo to be overwritten with arbitrary bytes via a crafted cross‑origin POST, due to missing CSRF protection (the endpoint does not use the .json.php suffix and is excluded from autoCSRFGuard), no t...

5.4CVSS5.9AI score0.00121EPSS
Exploits0References2
OSV
OSV
added 2026/05/11 8:34 p.m.4 views

CVE-2026-43877 WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

5.4CVSS6AI score0.00121EPSS
Exploits0References4
Rows per page
Query Builder