Public March 2026
AVideo Left Full Application Initialization Exposed on the Web
BugBunny.ai found that AVideo’s install/checkConfiguration.php endpoint performed complete application initialization from unauthenticated POST input whenever configuration.php did not yet exist. A remote attacker could finish setup with attacker-controlled credentials, database settings, and persistent configuration values.
TL;DR
Remote attackers can take over uninitialized AVideo deployments and persist control through installer-written configuration.
Unauthenticated POST requests to /install/checkConfiguration.php on fresh or re-deployed instances.
AVideo releases before 24.0 when the installer remained web-reachable and the deployment was not yet initialized.
Published and fixed in AVideo 24.0.
Root Cause
The installer endpoint performed privileged setup operations without authentication, setup tokens, localhost restriction, or any comparable control. Its only guard was whether configuration.php already existed, which is not an access-control mechanism.
Because the attacker could also choose the backing database host and write configuration values to disk, exploitation did not depend on guessing the victim’s database credentials. The design effectively allowed an unauthenticated outsider to become the original administrator of the application.
Product
AVideo
Affected
< 24.0
Patched
>= 24.0
Weaknesses
CWE-306: Missing Authentication for Critical Function
CWE-89: SQL Injection
Mitigation
- Upgrade AVideo to version 24.0 or later.
- Restrict installer execution to CLI or trusted local setup paths.
- Require a one-time setup secret for any installation workflow that remains web-accessible.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-2f9h-23f7-8gcx for WWBN/AVideo on March 16, 2026.