CVE-2018-25311
6.5 MEDIUMVideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers with valid ...
Published: 2026-04-29 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-22
Description
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers with valid credentials to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2018-25311
- [Other]https://www.exploit-db.com/exploits/44386
- [Other]https://www.vulncheck.com/advisories/videoflow-digital-video-protection-dvp-10-authenticated-directory-traversal-x-prototype-version
- [Other]https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php
Related CVEs
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)