An unauthenticated SSRF vulnerability in the WWBN AVideo Live plugin allows remote attackers to use the server as a proxy to probe internal network resources.

The plugin/Live/standAloneFiles/saveDVR.json.php file uses the webSiteRootURL parameter in a file_get_contents() call without any authentication or URL validation. This allows an unauthenticated attacker to trigger arbitrary outbound HTTP requests from the server.

This SSRF vulnerability poses a significant risk to internal infrastructure. Attackers can bypass firewalls to scan internal ports, access metadata services (such as AWS IMDS), or interact with internal APIs that are not exposed to the internet. The CVSS score of 9.1 reflects the high potential for lateral movement and internal data exfiltration.

Immediate Action: Update WWBN AVideo to version 26.0 or later, which includes necessary origin validation and URL allowlisting.

Proactive Monitoring: Monitor egress traffic from the AVideo server for unusual requests to internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) or cloud provider metadata endpoints.

Compensating Controls: Implement strict outbound firewall rules (Egress Filtering) to prevent the web server from initiating connections to sensitive internal network segments.

Public Exploit Available: false

Given the critical nature of SSRF in modern infrastructure, this vulnerability should be remediated immediately. Updating to version 26.0 is the only way to ensure the code properly validates request origins. Administrators should also ensure the server follows the principle of least privilege regarding network access.