← Back
2025-12-24 19:28CVE-2019-25256VulnCheck
PUBLISHED5.2CWE-22

VideoFlow Digital Video Protection DVP 2.10 Authenticated Directory Traversal

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.

Problem type

Affected products

VideoFlow Ltd.

Digital Video Protection DVP

2.10 - AFFECTED

1.40.0.15 - AFFECTED

2.10.0.5 - AFFECTED

References

ExploitDB-44386

https://www.exploit-db.com/exploits/44386

exploit
VideoFlow Product Web Page

http://www.video-flow.com

product
Zero Science Lab Disclosure (ZSL-2018-5454)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php

third-party-advisory

GitHub Security Advisories

GHSA-2gg3-j2hg-72f4

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal...

https://github.com/advisories/GHSA-2gg3-j2hg-72f4

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25256

exploit-db.com

https://www.exploit-db.com/exploits/44386

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php

video-flow.com

http://www.video-flow.com

github.com

https://github.com/advisories/GHSA-2gg3-j2hg-72f4

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25256
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25256",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:21:37.347Z",
    "dateReserved": "2025-12-24T14:27:12.478Z",
    "datePublished": "2025-12-24T19:28:05.689Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:28:05.689Z"
      },
      "datePublic": "2018-02-01T00:00:00.000Z",
      "title": "VideoFlow Digital Video Protection DVP 2.10 Authenticated Directory Traversal",
      "descriptions": [
        {
          "lang": "en",
          "value": "VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests."
        }
      ],
      "affected": [
        {
          "vendor": "VideoFlow Ltd.",
          "product": "Digital Video Protection DVP",
          "versions": [
            {
              "version": "2.10",
              "status": "affected"
            },
            {
              "version": "1.40.0.15",
              "status": "affected"
            },
            {
              "version": "2.10.0.5",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
              "cweId": "CWE-22",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44386",
          "name": "ExploitDB-44386",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "http://www.video-flow.com",
          "name": "VideoFlow Product Web Page",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php",
          "name": "Zero Science Lab Disclosure (ZSL-2018-5454)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:21:37.347Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "http://www.video-flow.com",
            "tags": [
              "exploit"
            ]
          },
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}