CVE-2020-36900

Description

All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft a malicious web page that automatically submits forms to create a new user with global administrative privileges when a logged-in user visits the page.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Active

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

All-Dynamics Software GmbH / Digital Signage System2.0.2 (Build 2098) ILP32W – 2.0.2 (Build 2098) ILP32W

References

EXPLOIThttps://www.exploit-db.com/exploits/48736
MISChttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5576.php
MISChttps://www.all-dynamics.de
VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/all-dynamics-digital-signage-system-cross-site-request-forgery-via-user-management