CVE-2019-25256

Summary

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.

Affected Software

VendorProductVersion RangeStatus
VideoFlow Ltd.Digital Video Protection DVP2.10affected
VideoFlow Ltd.Digital Video Protection DVP1.40.0.15affected
VideoFlow Ltd.Digital Video Protection DVP2.10.0.5affected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References