Cyber Resilience

CVE-2020-37172

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37172 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Wwbn Avideo. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2020-37172 is a cross-site request forgery (CSRF) vulnerability in AVideo Platform version 8.1. The flaw resides in the password recovery mechanism, particularly the recoverPass endpoint, which attackers can exploit by crafting malicious requests that leverage a user's recovery token to reset passwords without requiring authentication.

Unauthenticated attackers with network access can exploit this vulnerability, which has a CVSS score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-640. Exploitation allows them to change user account credentials, potentially granting unauthorized access to affected accounts.

Advisories and additional details are documented in resources such as the Vulncheck advisory at https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset, an Exploit-DB entry at https://www.exploit-db.com/exploits/48003, and official AVideo sites including https://avideo.com and https://github.com/WWBN/AVideo; practitioners should review these for mitigation guidance and patches.

A proof-of-concept exploit is available on Exploit-DB, highlighting the risk of real-world exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials…

more

without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2020-37172 is a CSRF vulnerability in a public-facing web application (AVideo Platform) that allows unauthenticated remote exploitation to reset user passwords, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2020-37158Same product: Wwbn Avideo
CVE-2026-33297Same product: Wwbn Avideo
CVE-2026-41057Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-33719Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to ensure session authenticity, directly preventing CSRF attacks by blocking forged requests to the recoverPass endpoint.

prevent

AC-3 enforces access control policies that require validation of request authenticity for sensitive password recovery operations.

prevent

IA-5 manages recovery tokens as authenticators, ensuring secure handling and validation to mitigate unauthorized password resets via CSRF.

References