CVE-2018-25310

Summary

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with valid credentials can leverage the CSRF vulnerability to inject and execute system commands through the Tools > System > Shell interface, gaining root-level access to the device.

Affected Software

VendorProductVersion RangeStatus
VideoFlow Ltd.VideoFlow Digital Video Protection2.10affected
VideoFlow Ltd.VideoFlow Digital Video Protection1.40.0.15affected
VideoFlow Ltd.VideoFlow Digital Video Protection2.10.0.5affected

Weaknesses

  • CWE-352: Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References