Vulnerability Description
Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- http://www.securitylab.ru/poc/486047.php
- https://blogs.securiteam.com/index.php/archives/3094
- https://cxsecurity.com/issue/WLB-2017050025
- https://exchange.xforce.ibmcloud.com/vulnerabilities/125645
- https://packetstormsecurity.com/files/142386
- https://www.exploit-db.com/exploits/41960/
- https://www.vulncheck.com/advisories/serviio-pro-unauthenticated-password-change
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php
FAQ
What is CVE-2017-20220?
CVE-2017-20220 is a vulnerability with a CVSS score of 7.5 (HIGH). Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send spec...
How severe is CVE-2017-20220?
CVE-2017-20220 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-20220?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.