CVE-2025-34433

EPSS 48.36%
Veröffentlicht 19.12.2025 15:37:39
Zuletzt bearbeitet 19.12.2025 19:15:50
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerWorld Wide Broadcast Network

≫

Produkt AVideo

Default Statusunaffected

Version < 20.1

Version 14.3.1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	48.36%	0.977

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/WWBN/AVideo/commit/4a53ab2

https://github.com/WWBN/AVideo/commit/a2bdbff

https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt

https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/

https://nvd.nist.gov/vuln/detail/CVE-2025-34433

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34433

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34433

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-34433