CVE-2020-37172 in AVideo
Summary
by MITRE • 02/11/2026
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2020-37172 resides within AVideo Platform version 8.1 and represents a critical cross-site request forgery flaw that directly compromises user account security. This vulnerability specifically targets the platform's password recovery mechanism, creating an exploitable pathway that allows unauthorized actors to manipulate user credentials without proper authentication. The flaw exists in the recoverPass endpoint which should require proper validation of user identity before allowing password resets but instead accepts requests containing valid recovery tokens without sufficient verification measures.
The technical implementation of this vulnerability stems from inadequate input validation and missing anti-CSRF protection mechanisms within the password recovery workflow. When users request password recovery, the system generates and sends a recovery token to their registered email address. However, the recoverPass endpoint fails to properly verify that the request originates from the legitimate user or their authorized device. Attackers can leverage this weakness by crafting malicious web pages or email content that automatically submits requests to the recoverPass endpoint using stolen or predictable recovery tokens. This allows them to reset passwords without knowing the original user credentials, effectively taking control of accounts through social engineering or token interception techniques.
The operational impact of this vulnerability extends beyond simple credential theft to encompass complete account takeover capabilities and potential data breaches. Once an attacker successfully exploits this CSRF vulnerability, they gain unrestricted access to user accounts including personal information, uploaded content, communication records, and any other data stored within the platform. The attack vector is particularly dangerous because it can be executed through seemingly benign web interactions, making it difficult for users to detect compromise until significant damage has occurred. Organizations running AVideo Platform 8.1 become vulnerable to unauthorized access, data exfiltration, and potential misuse of legitimate user accounts for further attacks.
Security professionals should address this vulnerability through immediate implementation of proper anti-CSRF token validation mechanisms and enhanced session management protocols. The recommended mitigation involves implementing unique, time-limited CSRF tokens for each password recovery request that must be validated before any credential changes are processed. Additionally, organizations should implement multi-factor authentication requirements for password recovery processes and establish proper rate limiting to prevent automated exploitation attempts. This vulnerability aligns with CWE-352 which specifically addresses cross-site request forgery weaknesses in web applications, and maps to ATT&CK technique T1531 related to "Account Access Removal" and T1078 related to "Valid Accounts" for privilege escalation activities.
Organizations should conduct immediate security assessments to identify all instances of AVideo Platform 8.1 in their infrastructure and ensure prompt patching or mitigation implementation. The vulnerability demonstrates the critical importance of proper authentication flow validation in web applications, particularly in sensitive functions like password recovery and account management. Regular security testing including penetration testing and vulnerability scanning should be implemented to identify similar weaknesses in other web applications and prevent exploitation of similar CSRF patterns in the broader attack surface.