CVE-2022-25216
HIGH NUCLEIDVDFab 12 Player 6.2.10-6.2.10 and PlayerFab 7.0.0.0-7.0.0.4 - Unauthenticated Path Traversal via Download Endpoint
Title source: llmExploitation Summary
CVE-2022-25216 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>.
Nuclei Templates (1)
DVDFab 12 Player/PlayerFab - Local File Inclusion
HIGHby 0x_Akoko
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2022-07
Scores
CVSS v3
7.5
EPSS
0.1384
EPSS Percentile
96.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (2)
dvdfab/12_player
6.2.10 - 6.2.11
dvdfab/playerfab
7.0.0.0 - 7.0.0.5
Published
Mar 11, 2022
Tracked Since
Feb 18, 2026