CVE-2025-34436
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-34436
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34436 is an Insecure Direct Object Reference (IDOR) vulnerability in AVideo versions prior to 20.0. It allows any authenticated user to upload arbitrary files into directories belonging to other users because the upload functionality checks only if the user is authenticated but does not verify if the user owns or is authorized to upload to the target directory. [1]

Impact Analysis

This vulnerability can lead to unauthorized file uploads into other users' directories, potentially compromising confidentiality, integrity, and availability of data. An attacker with low privileges can exploit this flaw remotely without user interaction, which may result in data breaches, malware uploads, or disruption of service. [1]

Detection Guidance

To detect this vulnerability, you can check if your AVideo installation is running a version prior to 20.0, as these versions are affected. Additionally, monitoring file upload activities for unauthorized uploads into other users' directories may help identify exploitation attempts. Specific commands are not provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade AVideo to version 20.0 or later, where this vulnerability has been fixed. Until the upgrade, restrict authenticated users' permissions to prevent uploading files into directories they do not own. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart