CVE-2020-37172

MediumPublic PoC

Published: 11 February 2026

Published

11 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score 0.0011 28.4th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials…

without authentication.

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to ensure session authenticity, directly preventing CSRF attacks by blocking forged requests to the recoverPass endpoint.

AC-3 Access Enforcement partial match

prevent

AC-3 enforces access control policies that require validation of request authenticity for sensitive password recovery operations.

IA-5 Authenticator Management partial match

prevent

IA-5 manages recovery tokens as authenticators, ensuring secure handling and validation to mitigate unauthorized password resets via CSRF.

Security SummaryAI

CVE-2020-37172 is a cross-site request forgery (CSRF) vulnerability in AVideo Platform version 8.1. The flaw resides in the password recovery mechanism, particularly the recoverPass endpoint, which attackers can exploit by crafting malicious requests that leverage a user's recovery token to reset passwords without requiring authentication.

Unauthenticated attackers with network access can exploit this vulnerability, which has a CVSS score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-640. Exploitation allows them to change user account credentials, potentially granting unauthorized access to affected accounts.

Advisories and additional details are documented in resources such as the Vulncheck advisory at https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset, an Exploit-DB entry at https://www.exploit-db.com/exploits/48003, and official AVideo sites including https://avideo.com and https://github.com/WWBN/AVideo; practitioners should review these for mitigation guidance and patches.

A proof-of-concept exploit is available on Exploit-DB, highlighting the risk of real-world exploitation.

Details

CWE(s): CWE-640

Affected Products

wwbn

avideo

8.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2020-37172 is a CSRF vulnerability in a public-facing web application (AVideo Platform) that allows unauthenticated remote exploitation to reset user passwords, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://avideo.com
Product · disclosure@vulncheck.com
https://github.com/WWBN/AVideo
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48003
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/avideo-platform-cross-site-request-forgery-password-reset
Third Party Advisory · disclosure@vulncheck.com