CVE-2025-34441
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34441
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34441 is a vulnerability in AVideo versions prior to 20.0 where an unauthenticated public API endpoint exposes sensitive user information. This includes emails, usernames, administrative status, and last login times. Because no authentication is required, attackers can retrieve this data, enabling user enumeration and violating user privacy. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to access sensitive personal information such as email addresses, usernames, and administrative status without authentication. This can lead to user enumeration, privacy violations, and potential misuse of exposed data. Attackers could identify administrative users and potentially target them for further attacks. [1, 2]

Compliance Impact

The vulnerability exposes Personally Identifiable Information (PII) without authorization, which can lead to violations of privacy regulations such as GDPR and HIPAA. Unauthorized disclosure of user emails, names, and other personal data compromises user privacy and may result in non-compliance with these standards that require protection of sensitive user information. [1, 2]

Detection Guidance

This vulnerability can be detected by sending unauthenticated requests to the public API endpoints of AVideo versions prior to 20.0 and inspecting the responses for sensitive user information such as emails, usernames, administrative status, and last login times. For example, you can use curl commands to query the API endpoints without authentication and check if sensitive data is returned. A sample command might be: curl -X GET "http://<your-avideo-domain>/api/video" or curl -X GET "http://<your-avideo-domain>/api/user" and then review the JSON response for exposed sensitive fields. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade AVideo to version 20.0 or later, where the vulnerability has been fixed by removing sensitive user fields from unauthenticated public API responses. If upgrading is not immediately possible, restrict access to the public API endpoints to trusted users or networks, and ensure that API secrets and user authentication are properly enforced to prevent unauthenticated access to sensitive data. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart