CVE-2019-25256

The vulnerability is an authenticated directory traversal in VideoFlow Digital Video Protection (DVP) version 2.10. The root cause is insufficient validation of the 'ID' parameter in several Perl scripts (e.g., download.pl, download_xml.pl, downloadmib.pl, downloadFile.pl) that handle file downloads. The parameter is directly used in the Content-Disposition header and file path without sanitization, allowing path traversal sequences [2].

An attacker with valid authentication credentials can exploit this by sending crafted requests to the affected scripts, manipulating the 'ID' parameter with directory traversal sequences (e.g., ../) to read arbitrary files outside the intended directory. The vulnerability is present in multiple scripts, as identified in the exploit database entry [2]. No session expiration mechanism further aids exploitation.

Successful exploitation allows an attacker to read sensitive system files, including configuration files, credentials, or other data stored on the DVP appliance. This could lead to further compromise of the device or network. The CVSS score of 6.5 reflects the medium severity due to the requirement for authentication.

The vulnerability was publicly disclosed in 2018 via Zero Science Lab [1] and Exploit-DB [2]. Users should contact VideoFlow for a patched version or apply vendor-supplied mitigations. As of the CVE publication date (2025-12-24), no evidence of exploitation in the wild is mentioned, but upgrading to a non-vulnerable version is recommended.