CVE-2025-34437
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34437
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in AVideo versions prior to 20.0 allows any authenticated user to upload comment images to videos owned by other users. The application verifies that the user is authenticated but fails to check if the user actually owns the target video. This missing ownership check enables attackers to perform unauthorized uploads to arbitrary video objects, effectively an Insecure Direct Object Reference (IDOR) issue. [1, 2]

Impact Analysis

The vulnerability can lead to unauthorized users uploading images to videos they do not own, potentially allowing attackers to manipulate or deface video content. This can compromise the integrity and availability of video content, damage user trust, and may lead to further exploitation depending on the content uploaded. The CVSS score of 8.7 indicates a high severity with significant impact on confidentiality, integrity, and availability. [1, 2]

Detection Guidance

You can detect this vulnerability by attempting to upload comment images to videos you do not own using authenticated user credentials. Specifically, test the image upload endpoint (e.g., view/mini-upload-form/imageUpload.json.php) with a video ID that you do not have edit permissions for. If the upload succeeds without an authorization error, the system is vulnerable. There are no specific commands provided, but a practical approach is to use tools like curl or Postman to send authenticated POST requests to the image upload endpoint with arbitrary video IDs and observe the response for authorization enforcement. [1]

Mitigation Strategies

The immediate mitigation is to upgrade AVideo to version 20.0 or later, where the vulnerability is patched. The patch enforces authorization checks to ensure only users with edit permissions on a video can upload images to it. If upgrading is not immediately possible, restrict access to the image upload endpoints to trusted users only and monitor for unauthorized upload attempts. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart