CVE-2025-34437

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-34437

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34437.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-34437

Published

2025-12-17T20:15:54.150Z

Modified

2026-03-15T22:52:37.457872Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type: GIT
Repo: https://github.com/wwbn/avideo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4a53ab2056

Type: GIT
Repo: https://github.com/wwbn/avideo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d411f91805

Affected versions

10.*

10.4

10.8

Other

11.*

11.1

11.1.1

11.5

11.6

12.*

12.4

14.*

14.3

14.3.1

14.4

18.*

18.0

2.*

2.2

2.4

2.7

3.*

3.4

3.4.1

4.*

4.0

4.0.1

4.0.2

5.*

5.0

6.*

6.5

7.*

7.2

7.3

7.4

7.5

7.6

7.7

7.8

8.*

8.1

8.5

8.6

8.7

8.9

8.9.1

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "20.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34437.json"