Home

Description

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.

PUBLISHED Reserved 2026-02-10 | Published 2026-02-11 | Updated 2026-02-12 | Assigner VulnCheck




HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Weak Password Recovery Mechanism for Forgotten Password

Product status

8.1
affected

Credits

Ihsan Sencan finder

References

www.exploit-db.com/exploits/48003 (ExploitDB-48003) exploit

avideo.com (Official AVideo Platform Homepage) product

github.com/WWBN/AVideo (AVideo GitHub Repository) product

www.vulncheck.com/...oss-site-request-forgery-password-reset (VulnCheck Advisory: AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)) third-party-advisory

cve.org (CVE-2020-37172)

nvd.nist.gov (CVE-2020-37172)

Download JSON