Primary

Context

AVideo Insecure Direct Object Reference Vulnerability Allowing Arbitrary File Deletion

Vulnerability

Patched

A vulnerability exists in AVideo versions prior to 20.0, where an insecure direct object reference (IDOR) allows authenticated users to delete media files belonging to other users. The issue arises because the affected endpoint, while validating authentication, does not check ownership or editing permissions for the targeted videos.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of media files, potentially leading to data loss for affected users.

Remediation

Users can upgrade to AVideo version 20.0 or later, which addresses this vulnerability by implementing proper ownership and permission checks. Instructions for updating AVideo can be found in the AVideo Release Notes.

Added: Dec 17, 2025, 8:32 PM

Updated: Dec 17, 2025, 8:32 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

1.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

1.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AVideo Insecure Direct Object Reference Vulnerability Allowing Arbitrary File Deletion

Vulnerability

Impact

Remediation

Affected Products

WWBN AVideo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating