CVE-2025-34441
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-34441, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description

AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-07-06
AI Q&A
2025-12-17
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-34441 is a vulnerability in AVideo versions prior to 20.0 where an unauthenticated public API endpoint exposes sensitive user information. This includes emails, usernames, administrative status, and last login times. Because no authentication is required, attackers can retrieve this data, enabling user enumeration and violating user privacy. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to access sensitive personal information such as email addresses, usernames, and administrative status without authentication. This can lead to user enumeration, privacy violations, and potential misuse of exposed data. Attackers could identify administrative users and potentially target them for further attacks. [1, 2]

Compliance Impact

The vulnerability exposes Personally Identifiable Information (PII) without authorization, which can lead to violations of privacy regulations such as GDPR and HIPAA. Unauthorized disclosure of user emails, names, and other personal data compromises user privacy and may result in non-compliance with these standards that require protection of sensitive user information. [1, 2]

Detection Guidance

This vulnerability can be detected by sending unauthenticated requests to the public API endpoints of AVideo versions prior to 20.0 and inspecting the responses for sensitive user information such as emails, usernames, administrative status, and last login times. For example, you can use curl commands to query the API endpoints without authentication and check if sensitive data is returned. A sample command might be: curl -X GET "http://<your-avideo-domain>/api/video" or curl -X GET "http://<your-avideo-domain>/api/user" and then review the JSON response for exposed sensitive fields. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade AVideo to version 20.0 or later, where the vulnerability has been fixed by removing sensitive user fields from unauthenticated public API responses. If upgrading is not immediately possible, restrict access to the public API endpoints to trusted users or networks, and ensure that API secrets and user authentication are properly enforced to prevent unauthenticated access to sensitive data. [1, 2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart