CVE-2020-37158
Published: 11 February 2026
Summary
CVE-2020-37158 is a medium-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 5.3 (Medium).
Operationally, ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
NVD Description
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials…
more
without authentication.
Deeper analysisAI
CVE-2020-37158 is a cross-site request forgery (CSRF) vulnerability in AVideo Platform version 8.1, associated with CWE-352 (CSRF) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). The flaw exists in the password recovery mechanism, specifically the recoverPass endpoint, which attackers can exploit by crafting malicious requests that leverage a user's recovery token to reset account credentials without requiring authentication.
Unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), achieving low integrity impact (I:L) as scored by CVSS 3.1 at 5.3. By tricking users into visiting a malicious site or clicking a forged link while they have a valid recovery token (e.g., from a legitimate password reset email), attackers can submit unauthorized requests to the recoverPass endpoint, enabling them to change the victim's account password and gain unauthorized access.
Advisories and resources for mitigation are available via references including the AVideo website (https://avideo.com), the project's GitHub repository (https://github.com/WWBN/AVideo), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48003), and a VulnCheck advisory (https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset), which likely detail patches or configuration changes to implement CSRF protections on the recoverPass endpoint.
A public exploit is documented on Exploit-DB, indicating potential for real-world abuse against unpatched AVideo Platform 8.1 instances.
Details
- CWE(s)