CVE-2019-25256
7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| VideoFlow Ltd. | Digital Video Protection DVP | 2.10 | affected |
| VideoFlow Ltd. | Digital Video Protection DVP | 1.40.0.15 | affected |
| VideoFlow Ltd. | Digital Video Protection DVP | 2.10.0.5 | affected |
Weaknesses
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://www.exploit-db.com/exploits/44386
- http://www.video-flow.com
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.