CVE-2021-45900

An attacker can impersonate any victim by sending a crafted HTTP request to a vulnerable API endpoint while including only the victim's `VIVOH_USERNAME` cookie and omitting the `VIVOH_AUTH` cookie [ref_id=1]. The server accepts the request and performs state-changing operations (create, update, or delete) on sources, rules, or configuration without verifying that a valid authentication cookie is present [ref_id=1]. The attacker needs only to know or guess a valid username to set in the cookie; no valid session token is required.

The vulnerable endpoints are POST, PUT, and DELETE requests to `/api/source/`, POST, PUT, and DELETE requests to `/api/rule/`, and PUT requests to `/api/config/` [ref_id=1]. The application relies on a `VIVOH_AUTH` cookie for authentication, but these APIs do not properly validate that cookie before processing requests [ref_id=1].

The advisory states the remediation is to "check if the valid auth cookie is present in the request" on the server side and to "invalidate the auth cookie once the user logs out" [ref_id=1]. The fix was verified by sending a POST request to `/api/source` with only the `VIVOH_USERNAME` cookie, which then returned an "unauthenticated" error instead of succeeding [ref_id=1]. No patch diff is provided in the bundle.

1. Create a new source in the Vivoh Webinar Manager UI. 2. Inspect the new source and copy it as a curl command. 3. Remove the `VIVOH_AUTH` cookie from the curl command, keeping only the `VIVOH_USERNAME` cookie. 4. Send the modified POST request to `/api/source/new` — the server returns a success response, confirming the API executes without proper authentication [ref_id=1]. The same approach works for PUT and DELETE on `/api/source/`, all methods on `/api/rule/`, and PUT on `/api/config/` [ref_id=1].