CVE-2023-49810: 
PHP vulnerability analysis and mitigation

A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. The vulnerability was discovered in January 2024 and assigned CVE-2023-49810. The vulnerability affects the AVideo platform, which is a web application written in PHP used for creating audio/video sharing websites (Talos Report).

The vulnerability exists in the checkLoginAttempts functionality where a specially crafted HTTP request can lead to captcha bypass. The issue occurs because the checkLoginAttempts() function returns true after the first call in the current request, effectively skipping the captcha checks in subsequent calls. This behavior exists because of a global variable check that prevents multiple validations within the same request. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST and 7.3 (HIGH) by Talos, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows an attacker to bypass the CAPTCHA protection mechanism, which can be abused to perform brute force attacks against user credentials. This could potentially lead to unauthorized access to user accounts on the affected AVideo platform (Talos Report).

The vulnerability affects WWBN AVideo dev master commit 15fed957fb. Users should update to a patched version of the software. The vulnerability was disclosed to the vendor on December 14, 2023, and a patch was released on December 15, 2023 (Talos Report).