CVE-2018-25311

MEDIUM

VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)

Title source: cna

Description

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsperl

https://www.exploit-db.com/exploits/44386

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-44386

https://www.exploit-db.com/exploits/44386

Vendor Advisory vendor-advisory

Vulnerability Advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php

Third Party Advisory third-party-advisory

VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)

https://www.vulncheck.com/advisories/videoflow-digital-video-protection-dvp-10-authenticated-directory-traversal-x-prototype-version

Scores

CVSS v3 6.5

EPSS 0.0033

EPSS Percentile 56.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

VideoFlow Ltd./VideoFlow Digital Video Protection 1.40.0.15

VideoFlow Ltd./VideoFlow Digital Video Protection 2.10

VideoFlow Ltd./VideoFlow Digital Video Protection 2.10.0.5

Published Apr 29, 2026

Tracked Since Apr 30, 2026