CVE-2025-34437
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in AVideo versions prior to 20.0 allows any authenticated user to upload comment images to videos owned by other users. The application verifies that the user is authenticated but fails to check if the user actually owns the target video. This missing ownership check enables attackers to perform unauthorized uploads to arbitrary video objects, effectively an Insecure Direct Object Reference (IDOR) issue. [1, 2]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized users uploading images to videos they do not own, potentially allowing attackers to manipulate or deface video content. This can compromise the integrity and availability of video content, damage user trust, and may lead to further exploitation depending on the content uploaded. The CVSS score of 8.7 indicates a high severity with significant impact on confidentiality, integrity, and availability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to upload comment images to videos you do not own using authenticated user credentials. Specifically, test the image upload endpoint (e.g., view/mini-upload-form/imageUpload.json.php) with a video ID that you do not have edit permissions for. If the upload succeeds without an authorization error, the system is vulnerable. There are no specific commands provided, but a practical approach is to use tools like curl or Postman to send authenticated POST requests to the image upload endpoint with arbitrary video IDs and observe the response for authorization enforcement. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade AVideo to version 20.0 or later, where the vulnerability is patched. The patch enforces authorization checks to ensure only users with edit permissions on a video can upload images to it. If upgrading is not immediately possible, restrict access to the image upload endpoints to trusted users only and monitor for unauthorized upload attempts. [1, 2]