WWBN AVideo is an open source video platform. In versions 29.0 and prior, "objects/configurationUpdate.json.php" (also routed via "/updateConfig") persists dozens of global site settings from "$_POST" but protects the endpoint only with "User::isAdmin()". It does not call "forbidIfIsUntrustedRequest()", does not verify a "globalToken", and does not validate the Origin/Referer header. Because AVideo intentionally sets "session.cookie_samesite=None" to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site "<head>" HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.