CVE-2020-37172
Published: 11 February 2026
Summary
CVE-2020-37172 is a medium-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Wwbn Avideo. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to ensure session authenticity, directly preventing CSRF attacks by blocking forged requests to the recoverPass endpoint.
AC-3 enforces access control policies that require validation of request authenticity for sensitive password recovery operations.
IA-5 manages recovery tokens as authenticators, ensuring secure handling and validation to mitigate unauthorized password resets via CSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2020-37172 is a CSRF vulnerability in a public-facing web application (AVideo Platform) that allows unauthenticated remote exploitation to reset user passwords, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials…
more
without authentication.
Deeper analysisAI
CVE-2020-37172 is a cross-site request forgery (CSRF) vulnerability in AVideo Platform version 8.1. The flaw resides in the password recovery mechanism, particularly the recoverPass endpoint, which attackers can exploit by crafting malicious requests that leverage a user's recovery token to reset passwords without requiring authentication.
Unauthenticated attackers with network access can exploit this vulnerability, which has a CVSS score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-640. Exploitation allows them to change user account credentials, potentially granting unauthorized access to affected accounts.
Advisories and additional details are documented in resources such as the Vulncheck advisory at https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset, an Exploit-DB entry at https://www.exploit-db.com/exploits/48003, and official AVideo sites including https://avideo.com and https://github.com/WWBN/AVideo; practitioners should review these for mitigation guidance and patches.
A proof-of-concept exploit is available on Exploit-DB, highlighting the risk of real-world exploitation.
Details
- CWE(s)