CVE-2020-36877

Summary

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.

Affected Software

VendorProductVersion RangeStatus
ReQuest Serious Play LLCReQuest Serious Play Pro7.0.3.4968affected
ReQuest Serious Play LLCReQuest Serious Play7.0.2.4954affected
ReQuest Serious Play LLCReQuest Serious Play6.5.2.4954affected
ReQuest Serious Play LLCReQuest Serious Play6.4.2.4681affected
ReQuest Serious Play LLCReQuest Serious Play6.3.2.4203affected
ReQuest Serious Play LLCReQuest Serious Play2.0.1.823affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References