CVE-2020-36897

QiHang Media Web Digital Signage 3.0.9 Unauthenticated Remote Code Execution

CVSS 9.3 CRITICALEPSS 1.1%CWE-434

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. · QiHang Media Web Digital Signage

PoCs públicas encontradas — 1

cve_referencewww.exploit-db.com/exploits/48751no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.exploit-db.com/exploits/48751 https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-remote-code-execution https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php http://www.howfor.com