CVE-2020-37173 – AVideo Platform 8.1 contains an information dis... (How to Fix)

Q: What is the severity of CVE-2020-37173?

CVE-2020-37173 has a CVSS score of 7.5 (HIGH). AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. By manipulating the users_id parameter, attackers can retrieve sensitive user information including email, password hash, and administrative status. This affects all AVideo Platform 8.1 installations with the vulnerable endpoint accessible.

📋 TL;DR

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. By manipulating the users_id parameter, attackers can retrieve sensitive user information including email, password hash, and administrative status. This affects all AVideo Platform 8.1 installations with the vulnerable endpoint accessible.

💻 Affected Systems

Products:

AVideo Platform

Versions: 8.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of AVideo Platform 8.1 are vulnerable unless specifically patched or workarounds applied.

📦 What is this software?

Avideo by Wwbn

View all CVEs affecting Avideo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could harvest all user credentials (including admin accounts), leading to complete system compromise, data theft, and potential lateral movement to other systems.

🟠

Likely Case

Attackers enumerate user accounts, obtain password hashes for cracking attempts, identify admin accounts for targeted attacks, and gather email addresses for phishing campaigns.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to information disclosure of user data accessible through the vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires simple HTTP requests to the vulnerable endpoint with manipulated parameters. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2 or later

Vendor Advisory: https://github.com/WWBN/AVideo

Restart Required: No

Instructions:

1. Upgrade AVideo Platform to version 8.2 or later. 2. Verify the playlistsFromUser.json.php endpoint no longer discloses sensitive user information. 3. Consider resetting user passwords as a precaution.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Restrict access to the playlistsFromUser.json.php endpoint using web server configuration or firewall rules.

# Apache: RewriteRule ^/plugin/API/playlistsFromUser.json.php - [F]
# Nginx: location ~ /plugin/API/playlistsFromUser.json.php { deny all; }

Implement authentication requirement

all

Modify the endpoint to require valid authentication before returning any user data.

# Modify playlistsFromUser.json.php to check user session before processing

🧯 If You Can't Patch

Implement network segmentation to restrict access to AVideo Platform from untrusted networks.
Deploy a web application firewall (WAF) with rules to block requests to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Send a GET request to /plugin/API/playlistsFromUser.json.php?users_id=1 and check if sensitive user information (email, password hash) is returned in the response.

Check Version:

Check AVideo version in admin panel or examine version files in installation directory.

Verify Fix Applied:

After patching, repeat the vulnerable check. The endpoint should return an error or no sensitive data when accessing user information.

📡 Detection & Monitoring

Log Indicators:

Multiple requests to playlistsFromUser.json.php with different users_id parameters
Unusual access patterns to user data endpoints

Network Indicators:

HTTP requests to /plugin/API/playlistsFromUser.json.php with parameter manipulation
Burst of requests to user enumeration endpoints

SIEM Query:

source="web_logs" AND uri="/plugin/API/playlistsFromUser.json.php" AND (param="users_id" OR query_contains="users_id")

📊 Metadata

CVE ID: CVE-2020-37173

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-359

EPSS Score: 0.03% exploit probability (8.3th percentile)

Published: February 11, 2026

Last Updated: February 18, 2026

🔗 References

https://avideo.com Product
https://github.com/WWBN/AVideo Product
https://www.exploit-db.com/exploits/47997 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/avideo-platform-information-disclosure-user-enumeration Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-37173, you might also want to check these: