CVE-2020-37158 – CVE-2020-37158 is a CSRF vulnerability in AVide... (How to Fix)

Q: What is the severity of CVE-2020-37158?

CVE-2020-37158 has a CVSS score of 5.3 (MEDIUM). CVE-2020-37158 is a CSRF vulnerability in AVideo Platform 8.1 that allows attackers to reset user passwords without authentication by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using stolen recovery tokens to change account credentials. This affects all AVideo Platform 8.1 installations with default configurations.

📋 TL;DR

CVE-2020-37158 is a CSRF vulnerability in AVideo Platform 8.1 that allows attackers to reset user passwords without authentication by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using stolen recovery tokens to change account credentials. This affects all AVideo Platform 8.1 installations with default configurations.

💻 Affected Systems

Products:

AVideo Platform

Versions: 8.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of AVideo Platform 8.1 are vulnerable unless specifically patched or hardened against CSRF attacks.

📦 What is this software?

Avideo by Wwbn

View all CVEs affecting Avideo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to administrative accounts, potentially compromising the entire platform, exfiltrating sensitive data, or deploying malware.

🟠

Likely Case

Attackers reset passwords for regular user accounts, leading to unauthorized access, data theft, or account takeover for phishing/spam campaigns.

🟢

If Mitigated

With proper CSRF protections and token validation, exploitation is prevented, maintaining normal authentication flow security.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to obtain or predict the user's password recovery token, which can be done through social engineering or token leakage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2 or later

Vendor Advisory: https://github.com/WWBN/AVideo/releases

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download and install AVideo Platform version 8.2 or later from the official GitHub repository. 3. Verify the update by checking the version in the admin panel.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to the password recovery endpoint and validate them on the server side.

Modify recoverPass.php to include and validate CSRF tokens

Disable Password Recovery

all

Temporarily disable the password recovery functionality until patched.

Comment out or remove the recoverPass endpoint in your web server configuration

🧯 If You Can't Patch

Implement network-level controls such as WAF rules to block malicious requests to the recoverPass endpoint.
Enforce strong password policies and multi-factor authentication to reduce impact if accounts are compromised.

🔍 How to Verify

Check if Vulnerable:

Check if your AVideo installation is version 8.1 by logging into the admin panel and viewing the version information.

Check Version:

Check the version in the admin panel under 'System Info' or inspect the source code for version markers.

Verify Fix Applied:

After updating, confirm the version is 8.2 or later in the admin panel and test the password recovery functionality with CSRF tokens.

📡 Detection & Monitoring

Log Indicators:

Multiple failed password recovery attempts from the same IP
Unusual patterns of requests to recoverPass endpoint

Network Indicators:

HTTP POST requests to recoverPass without proper CSRF tokens
Suspicious referrer headers in password reset requests

SIEM Query:

source="web_server_logs" AND uri="/recoverPass" AND method="POST" AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2020-37158

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-352

EPSS Score: 0.02% exploit probability (3.2th percentile)

Published: February 11, 2026

Last Updated: February 20, 2026

🔗 References

https://avideo.com Product
https://github.com/WWBN/AVideo Product
https://www.exploit-db.com/exploits/48003 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-37158, you might also want to check these: