← Back
2025-12-24 19:28CVE-2019-25255VulnCheck
PUBLISHED5.2CWE-78

VideoFlow Digital Video Protection DVP 2.10 Authenticated Remote Code Execution

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access.

Problem type

Affected products

VideoFlow Ltd.

VideoFlow Digital Video Protection DVP

2.10 - AFFECTED

1.40.0.15 - AFFECTED

2.10.0.5 - AFFECTED

References

ExploitDB-44387

https://www.exploit-db.com/exploits/44387

exploit
VideoFlow Official Product Homepage

http://www.video-flow.com

product
Zero Science Lab Disclosure (ZSL-2018-5455)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php

third-party-advisory

GitHub Security Advisories

GHSA-x2q3-mg28-hh72

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution...

https://github.com/advisories/GHSA-x2q3-mg28-hh72

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25255

exploit-db.com

https://www.exploit-db.com/exploits/44387

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php

video-flow.com

http://www.video-flow.com

github.com

https://github.com/advisories/GHSA-x2q3-mg28-hh72

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25255
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25255",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:21:43.515Z",
    "dateReserved": "2025-12-24T14:27:12.478Z",
    "datePublished": "2025-12-24T19:28:05.284Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:28:05.284Z"
      },
      "datePublic": "2018-02-01T00:00:00.000Z",
      "title": "VideoFlow Digital Video Protection DVP 2.10 Authenticated Remote Code Execution",
      "descriptions": [
        {
          "lang": "en",
          "value": "VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access."
        }
      ],
      "affected": [
        {
          "vendor": "VideoFlow Ltd.",
          "product": "VideoFlow Digital Video Protection DVP",
          "versions": [
            {
              "version": "2.10",
              "status": "affected"
            },
            {
              "version": "1.40.0.15",
              "status": "affected"
            },
            {
              "version": "2.10.0.5",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44387",
          "name": "ExploitDB-44387",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "http://www.video-flow.com",
          "name": "VideoFlow Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php",
          "name": "Zero Science Lab Disclosure (ZSL-2018-5455)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:21:43.515Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php",
            "tags": [
              "exploit"
            ]
          },
          {
            "url": "http://www.video-flow.com",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}