WWBN AVideo is an open source video platform. In versions up to and including 26.0, the "plugin/Live/uploadPoster.php" endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary "live_schedule_id". The endpoint only checks "User::isLogged()" but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a "socketLiveOFFCallback" notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.