CVE-2020-37173 in AVideo
Summary
by MITRE • 02/11/2026
AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2020-37173 affects AVideo Platform version 8.1 and represents a critical information disclosure flaw that compromises user privacy and system security. This vulnerability exists within the playlistsFromUser.json.php endpoint, which is designed to handle user playlist data retrieval but fails to properly validate input parameters, creating an exploitable condition that allows unauthorized access to sensitive user information.
The technical implementation flaw stems from insufficient input validation and access control mechanisms within the application's user enumeration functionality. When attackers manipulate the users_id parameter through the playlistsFromUser.json.php endpoint, the system fails to authenticate or authorize the request properly, enabling arbitrary user data retrieval. This vulnerability directly maps to CWE-200, which describes improper exposure of sensitive information, and represents a classic case of insufficient access control where the application does not adequately verify user permissions before exposing sensitive data.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with comprehensive user profile information including email addresses, password hashes, and administrative privileges. This information can be leveraged for various malicious activities including credential stuffing attacks, targeted phishing campaigns, and privilege escalation attempts. The exposure of password hashes specifically enables attackers to attempt offline password cracking or use these credentials in credential reuse attacks against other systems where users may have employed the same passwords.
Security professionals should recognize this vulnerability as a significant risk to user privacy and system integrity, particularly in environments where AVideo Platform is used for content management or user collaboration. The attack vector is straightforward and requires minimal technical expertise to exploit, making it particularly dangerous in production environments. The vulnerability demonstrates poor input sanitization practices and highlights the importance of implementing proper authentication and authorization controls for all API endpoints that handle user data.
Mitigation strategies should include immediate implementation of input parameter validation and access control checks for the playlistsFromUser.json.php endpoint, ensuring that only authorized users can access specific user data. The platform should enforce proper authentication mechanisms and implement rate limiting to prevent automated enumeration attacks. Additionally, security teams should conduct comprehensive code reviews to identify similar vulnerabilities in other API endpoints and ensure that all user data access is properly authenticated and authorized. This vulnerability aligns with ATT&CK technique T1213, which covers data from information repositories, and emphasizes the need for proper data access controls and input validation across all application components. Organizations should also consider implementing network segmentation and monitoring for unusual data access patterns to detect potential exploitation attempts.