Vulnerability Description
QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters. Attackers can exploit the QH.aspx endpoint to read arbitrary files and directory contents without authentication by manipulating download and getAll actions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Howfor | Qihang Media Web Digital Signage | 3.0.9 |
Related Weaknesses (CWE)
References
- http://www.howfor.comProduct
- https://www.exploit-db.com/exploits/48750ExploitThird Party AdvisoryVDB Entry
- https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthentiThird Party Advisory
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.phpExploitThird Party Advisory
- https://www.exploit-db.com/exploits/48750ExploitThird Party AdvisoryVDB Entry
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.phpExploitThird Party Advisory
FAQ
What is CVE-2020-36899?
CVE-2020-36899 is a vulnerability with a CVSS score of 7.5 (HIGH). QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' paramet...
How severe is CVE-2020-36899?
CVE-2020-36899 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36899?
Check the references section above for vendor advisories and patch information. Affected products include: Howfor Qihang Media Web Digital Signage.