Cyber Resilience

CVE-2020-37158

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37158 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

CVE-2020-37158 is a cross-site request forgery (CSRF) vulnerability in AVideo Platform version 8.1, associated with CWE-352 (CSRF) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). The flaw exists in the password recovery mechanism, specifically the recoverPass endpoint, which attackers can exploit by crafting malicious requests that leverage a user's recovery token to reset account credentials without requiring authentication.

Unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), achieving low integrity impact (I:L) as scored by CVSS 3.1 at 5.3. By tricking users into visiting a malicious site or clicking a forged link while they have a valid recovery token (e.g., from a legitimate password reset email), attackers can submit unauthorized requests to the recoverPass endpoint, enabling them to change the victim's account password and gain unauthorized access.

Advisories and resources for mitigation are available via references including the AVideo website (https://avideo.com), the project's GitHub repository (https://github.com/WWBN/AVideo), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48003), and a VulnCheck advisory (https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset), which likely detail patches or configuration changes to implement CSRF protections on the recoverPass endpoint.

A public exploit is documented on Exploit-DB, indicating potential for real-world abuse against unpatched AVideo Platform 8.1 instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials…

more

without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CSRF on public-facing password recovery endpoint directly enables exploitation of public apps (T1190) and account password manipulation (T1098) for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33649Same product: Wwbn Avideo
CVE-2026-40925Same product: Wwbn Avideo
CVE-2020-37172Same product: Wwbn Avideo
CVE-2026-34394Same product: Wwbn Avideo
CVE-2026-33507Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces that the recoverPass endpoint only accepts requests from properly authenticated sessions, directly blocking forged CSRF password-reset attempts.

prevent

Requires re-authentication before allowing a password change via the recovery token, eliminating the ability to reset credentials with a stolen or replayed token alone.

prevent

Validates request origin, token binding, and anti-CSRF markers on the recoverPass endpoint so that cross-site forged requests are rejected.

References