Vulnerability Details CVE-2020-36898
QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the 'data' parameter by sending a POST request with file paths to delete arbitrary files with web server permissions using directory traversal sequences.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.024
EPSS Ranking 84.7%
CVSS Severity
CVSS v3 Score 9.1
References
- http://www.howfor.com
- https://www.exploit-db.com/exploits/48749
- https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-arbitrary-file-deletion
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
Products affected by CVE-2020-36898
-
cpe:2.3:a:howfor:qihang_media_web_digital_signage:3.0.9