Home

Description

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.

PUBLISHED Reserved 2026-04-29 | Published 2026-04-29 | Updated 2026-04-30 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

2.10
affected

1.40.0.15
affected

2.10.0.5
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/44386 (ExploitDB-44386) exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php (Vulnerability Advisory) vendor-advisory

www.vulncheck.com/...directory-traversal-x-prototype-version (VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)) third-party-advisory

cve.org (CVE-2018-25311)

nvd.nist.gov (CVE-2018-25311)

Download JSON