WWBN AVideo is vulnerable to a critical SSRF flaw that allows unauthenticated attackers to scan internal infrastructure and potentially steal cloud service credentials.

The vulnerability exists in plugin/Live/test.php. It allows an unauthenticated remote user to force the server to send HTTP requests to arbitrary URLs, including localhost and internal network resources that are not publicly accessible.

Attackers can use this SSRF to bypass firewall restrictions and access internal services, such as databases or configuration management tools. In cloud environments, this can be used to query the Instance Metadata Service (IMDS) to steal temporary security tokens, leading to a full cloud account compromise. The CVSS score of 9.3 reflects this high potential for lateral movement.

Immediate Action: Apply the patch in commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 or update to the latest version.

Proactive Monitoring: Monitor outbound network traffic from the AVideo server for requests to internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254).

Compensating Controls: Implement egress filtering at the network level to prevent the web server from initiating connections to sensitive internal ports or metadata services.

Public Exploit Available: No

Applying the vendor patch is the most effective solution. Organizations running AVideo in AWS, Azure, or GCP should be especially vigilant and ensure that IMDSv2 (or equivalent) is enforced to mitigate the impact of SSRF.