{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2019-25256","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-12-24T14:27:12.478Z","datePublished":"2025-12-24T19:28:05.689Z","dateUpdated":"2025-12-24T20:21:37.347Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-12-24T19:28:05.689Z"},"datePublic":"2018-02-01T00:00:00.000Z","title":"VideoFlow Digital Video Protection DVP 2.10 Authenticated Directory Traversal","descriptions":[{"lang":"en","value":"VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","cweId":"CWE-22","type":"CWE"}]}],"affected":[{"vendor":"VideoFlow Ltd.","product":"Digital Video Protection DVP","versions":[{"version":"2.10","status":"affected"},{"version":"1.40.0.15","status":"affected"},{"version":"2.10.0.5","status":"affected"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":7.1,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/44386","name":"ExploitDB-44386","tags":["exploit"]},{"url":"http://www.video-flow.com","name":"VideoFlow Product Web Page","tags":["product"]},{"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php","name":"Zero Science Lab Disclosure (ZSL-2018-5454)","tags":["third-party-advisory"]}],"credits":[{"lang":"en","value":"LiquidWorm as Gjoko Krstic of Zero Science Lab","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"references":[{"url":"http://www.video-flow.com","tags":["exploit"]},{"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-24T20:00:55.381089Z","id":"CVE-2019-25256","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-24T20:21:37.347Z"}}]}}