The vulnerability appears in the site customization endpoint of versions 26.0 and earlier of the WWBN AVideo video platform. The endpoint lacks CSRF token validation and writes uploaded logo files to disk before the ORM’s domain‑based security check runs. Because the platform uses a SameSite=None cookie policy, a cross‑origin POST request can be constructed to trigger the logo upload. The resulting defect allows an attacker to replace the platform’s logo with arbitrary content, effectively defacing the website’s appearance. This weakness corresponds to CWE-352, the Cross‑Site Request Forgery flaw.

The affected product is the WWBN AVideo platform. Versions 26.0 and earlier contain the unchecked CSRF logic and the insecure file write routine. No patch version is listed in the advisory, but upgrading to a build newer than 26.0 removes the flaw.

The CVSS score of 4.3 indicates a low severity from a pure technical standpoint, but the potential for brand defacement and the ease of exploitation via a cross‑origin POST make it a security nuisance that should be addressed promptly. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote user crafting a cross‑origin HTTP request that exploits the missing CSRF token and the lax SameSite cookie setting. No additional prerequisites beyond normal web interaction are required, meaning the risk is that any visitor with access to the 'admin/customize_settings_nativeUpdate.json.php' endpoint could trigger the logo overwrite. The absence of a requirement for elevated privileges further lowers the barrier to exploitation.