[HIGH] AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin

PKSA-psg4-6wzm-s4q8 GHSA-qxvm-r42f-5p8j

Affected package: wwbn/avideo

Affected version: <=29.0

Reported by:
GitHub