VideoFlow Digital Video Protection DVP Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in VideoFlow Digital Video Protection (DVP) version 2.10. This vulnerability allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery (CSRF) flaw in the web management interface. Attackers with valid credentials can inject and execute commands through the Tools > System > Shell interface, gaining root access to the device.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user must log into the VideoFlow DVP web management interface. Once logged in, the user can navigate to the Tools > System > Shell section. Here, the CSRF vulnerability can be exploited to inject commands that will be executed with root privileges.