fix: Add CSRF token validation in save.json.php and include token in AJAX request

Daniel Neto · Daniel Neto · commit 7f5b41093f77 · 2026-03-27T11:39:57.000-03:00
https://github.com/WWBN/AVideo/security/advisories/GHSA-qpjj-c8vg-wqw7
diff --git a/admin/index.php b/admin/index.php
@@ -347,13 +347,14 @@ public function addItem(MenuAdmin $menu)
     </div>
 </div>
 <script>
+    var adminSaveToken = '<?php echo getToken(); ?>';
     $(document).ready(function() {
         $('.adminOptionsForm').submit(function(e) {
             e.preventDefault();
             modal.showPleaseWait();
             $.ajax({
                 url: webSiteRootURL + 'admin/save.json.php',
-                data: $(this).serialize(),
+                data: $(this).serialize() + '&globalToken=' + encodeURIComponent(adminSaveToken),
                 type: 'post',
                 success: function(response) {
                     modal.hidePleaseWait();
diff --git a/admin/save.json.php b/admin/save.json.php
@@ -8,6 +8,9 @@
 if (!User::isAdmin()) {
     die('{"error":"' . __("Permission denied") . '"}');
 }
+if (!isGlobalTokenValid()) {
+    die('{"error":"' . __("Invalid or missing CSRF token") . '"}');
+}
 
 $pluginName = $_POST['pluginName'];
 

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,9 @@`
`8`	`8`	`if (!User::isAdmin()) {`
`9`	`9`	`die('{"error":"' . __("Permission denied") . '"}');`
`10`	`10`	`}`
	`11`	`+if (!isGlobalTokenValid()) {`
	`12`	`+ die('{"error":"' . __("Invalid or missing CSRF token") . '"}');`
	`13`	`+}`
`11`	`14`
`12`	`15`	`$pluginName = $_POST['pluginName'];`
`13`	`16`