Vulnerability Description
BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts.
Related Weaknesses (CWE)
References
- https://github.com/zeroscience
- https://www.brightsign.biz
- https://www.exploit-db.com/exploits/48843
- https://www.vulncheck.com/advisories/brightsign-digital-signage-diagnostic-web-s
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5595.php
- https://www.exploit-db.com/exploits/48843
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5595.php
FAQ
What is CVE-2020-36884?
CVE-2020-36884 is a documented vulnerability. BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. At...
How severe is CVE-2020-36884?
CVSS scoring is not yet available for CVE-2020-36884. Check NVD for updates.
Is there a patch for CVE-2020-36884?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.