CVE-2025-34441
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34441 is a vulnerability in AVideo versions prior to 20.0 where an unauthenticated public API endpoint exposes sensitive user information. This includes emails, usernames, administrative status, and last login times. Because no authentication is required, attackers can retrieve this data, enabling user enumeration and violating user privacy. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to access sensitive personal information such as email addresses, usernames, and administrative status without authentication. This can lead to user enumeration, privacy violations, and potential misuse of exposed data. Attackers could identify administrative users and potentially target them for further attacks. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes Personally Identifiable Information (PII) without authorization, which can lead to violations of privacy regulations such as GDPR and HIPAA. Unauthorized disclosure of user emails, names, and other personal data compromises user privacy and may result in non-compliance with these standards that require protection of sensitive user information. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated requests to the public API endpoints of AVideo versions prior to 20.0 and inspecting the responses for sensitive user information such as emails, usernames, administrative status, and last login times. For example, you can use curl commands to query the API endpoints without authentication and check if sensitive data is returned. A sample command might be: curl -X GET "http://<your-avideo-domain>/api/video" or curl -X GET "http://<your-avideo-domain>/api/user" and then review the JSON response for exposed sensitive fields. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade AVideo to version 20.0 or later, where the vulnerability has been fixed by removing sensitive user fields from unauthenticated public API responses. If upgrading is not immediately possible, restrict access to the public API endpoints to trusted users or networks, and ensure that API secrets and user authentication are properly enforced to prevent unauthenticated access to sensitive data. [1, 2]