CVE-2026-34247

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The plugin/Live/uploadPoster.php endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary live schedule id. The endpoint only verifies that a user is logged in using the User::isLogged() function, but it does not verify that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a socketLiveOFFCallback notification containing the victim's broadcast key and user ID to all connected WebSocket clients. The vulnerable code resolves the poster path based on the live schedule id without authorization checks. The getPosterPaths() method constructs file paths solely from the numeric ID without any authentication. The broadcast notification is sent using Live::notifySocketStats(), which calls sendSocketMessageToAll() to broadcast to all connected WebSocket clients. The issue stems from a missing ownership check in the uploadPoster.php endpoint, while parallel endpoints do include such checks, indicating an oversight. The vulnerability allows content tampering, false offline notifications, information disclosure of the victim’s users id and broadcast key, and enables trivial enumeration of targets due to sequential schedule IDs. The $ REQUEST array is used to retrieve the live servers id and live schedule id variables.

Recommendations Add an ownership check after the login verification at line 17 in plugin/Live/uploadPoster.php:

if (!User::isLogged()) { $obj->msg = 'You cant edit this file'; die(json encode($obj)); }

// Add ownership check for scheduled live streams if (!empty($live schedule id)) { $ls = new Live schedule($live schedule id); if ($ls->getUsers id() != User::getId() && !User::isAdmin()) { $obj->msg = 'Not authorized'; die(json encode($obj)); } }