VideoFlow Digital Video Protection DVP Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in VideoFlow Digital Video Protection (DVP) version 2.10. This vulnerability allows authenticated attackers to execute system commands with root privileges. The issue arises from a cross-site request forgery (CSRF) vulnerability that can be exploited to gain unauthorized access to the system.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution with root privileges on the affected system.

Reproduction

The vulnerability can be reproduced by logging into the VideoFlow DVP web management interface using the default credentials. Once logged in, a cross-site request forgery (CSRF) attack can be executed to perform actions that lead to remote code execution. This can be done by sending a crafted request that exploits the CSRF vulnerability, allowing arbitrary commands to be executed on the server with root privileges.