CVE-2025-34437 is an authorization bypass vulnerability in World Wide Broadcast Network's AVideo product. Versions prior to 20.1 permit authenticated users to upload comment images to videos they do not own. The endpoint responsible for handling image uploads validates that the user is authenticated but fails to enforce ownership checks on the target video, allowing attackers to perform unauthorized uploads to arbitrary video objects. This issue is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 4.0 base score is 8.7, indicating a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

An attacker with valid authentication credentials can upload images as comments to videos owned by other users without authorization. This could lead to unauthorized content injection, potential defacement, or manipulation of video comments, impacting the integrity and trustworthiness of the platform's content. There is no indication of remote code execution or data exfiltration beyond the unauthorized upload capability.

No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict authenticated user permissions where possible and monitor for unusual upload activity. Implement additional access controls or validation on the upload endpoint if feasible.