CVE-2018-25311

MEDIUM

VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25311. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates an authenticated directory traversal vulnerability in VideoFlow Digital Video Protection DVP 10, allowing arbitrary file disclosure via the 'ID' parameter in multiple Perl scripts. The provided curl command successfully retrieves the contents of '/etc/passwd'.

Description

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers with valid credentials to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsperl

https://www.exploit-db.com/exploits/44386

View Code ZIP pw:eip

The exploit demonstrates an authenticated directory traversal vulnerability in VideoFlow Digital Video Protection DVP 10, allowing arbitrary file disclosure via the 'ID' parameter in multiple Perl scripts. The provided curl command successfully retrieves the contents of '/etc/passwd'.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: VideoFlow Digital Video Protection DVP 10 (version 2.10 and earlier)

Auth required

Prerequisites: valid session cookie (authenticated access)

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-44386

https://www.exploit-db.com/exploits/44386

Vendor Advisory vendor-advisory

Vulnerability Advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php

Third Party Advisory third-party-advisory

VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)

https://www.vulncheck.com/advisories/videoflow-digital-video-protection-dvp-10-authenticated-directory-traversal-x-prototype-version

Scores

CVSS v3 6.5

EPSS 0.0060

EPSS Percentile 43.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

VideoFlow Ltd./VideoFlow Digital Video Protection 1.40.0.15

VideoFlow Ltd./VideoFlow Digital Video Protection 2.10

VideoFlow Ltd./VideoFlow Digital Video Protection 2.10.0.5

Published Apr 29, 2026

Tracked Since Apr 30, 2026