Description

AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

Related CPE's

a

wwbn

avideo

Vulnerable

References

https://github.com/WWBN/AVideo/commit/4a53ab2056

Patch

https://github.com/WWBN/AVideo/commit/d411f91805

Patch

https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload

Third Party Advisory

Weaknesses

[email protected]

Secondary
CWE-639

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2025-12-17T20:15:54.150

47 hours ago

Last modified

2025-12-19T16:15:55.940

3 hours ago