CVE-2020-37158
Published: 11 February 2026
Summary
CVE-2020-37158 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Deeper analysis
CVE-2020-37158 is a cross-site request forgery (CSRF) vulnerability in AVideo Platform version 8.1, associated with CWE-352 (CSRF) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). The flaw exists in the password recovery mechanism, specifically the recoverPass endpoint, which attackers can exploit by crafting malicious requests that leverage a user's recovery token to reset account credentials without requiring authentication.
Unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), achieving low integrity impact (I:L) as scored by CVSS 3.1 at 5.3. By tricking users into visiting a malicious site or clicking a forged link while they have a valid recovery token (e.g., from a legitimate password reset email), attackers can submit unauthorized requests to the recoverPass endpoint, enabling them to change the victim's account password and gain unauthorized access.
Advisories and resources for mitigation are available via references including the AVideo website (https://avideo.com), the project's GitHub repository (https://github.com/WWBN/AVideo), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48003), and a VulnCheck advisory (https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset), which likely detail patches or configuration changes to implement CSRF protections on the recoverPass endpoint.
A public exploit is documented on Exploit-DB, indicating potential for real-world abuse against unpatched AVideo Platform 8.1 instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31057
Vulnerability details
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials…
more
without authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF on public-facing password recovery endpoint directly enables exploitation of public apps (T1190) and account password manipulation (T1098) for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces that the recoverPass endpoint only accepts requests from properly authenticated sessions, directly blocking forged CSRF password-reset attempts.
Requires re-authentication before allowing a password change via the recovery token, eliminating the ability to reset credentials with a stolen or replayed token alone.
Validates request origin, token binding, and anti-CSRF markers on the recoverPass endpoint so that cross-site forged requests are rejected.