PT-2025-51888 · Avideo · Avideo
Valentin Lobstein
·
Published
2025-12-17
·
Updated
2025-12-21
·
CVE-2025-34436
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AVideo versions prior to 20.1
AVideo versions prior to 20.0
Description
AVideo versions prior to 20.1 have a flaw where authenticated users can upload files into directories owned by other users. This is due to an insecure direct object reference, meaning the upload functionality confirms a user is logged in but doesn’t verify if they should have access to the target directory. The application does not enforce ownership checks during the file upload process.
Recommendations
Update AVideo to version 20.1 or later.
Update AVideo to version 20.0 or later.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo