PT-2025-52457 · Avideo · Avideo
Valentin Lobstein
·
Published
2025-12-19
·
Updated
2025-12-22
·
CVE-2025-34433
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
AVideo versions prior to 20.1
Description
The software contains an unauthenticated remote code execution issue resulting from predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to recover the salt. This recovered salt can be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, leading to arbitrary code execution as the web server user. The vulnerable function is not specified.
Recommendations
Update to version 20.1 or later.
Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo