CVE-2020-36878

Summary

ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources.

Affected Software

VendorProductVersion RangeStatus
ReQuest Serious Play LLCReQuest Serious Play Media Player3.0.0affected
ReQuest Serious Play LLCReQuest Serious Play Media Player2.1.0.831affected
ReQuest Serious Play LLCReQuest Serious Play Media Player1.5.2.822affected
ReQuest Serious Play LLCReQuest Serious Play Media Player1.5.2.821affected
ReQuest Serious Play LLCReQuest Serious Play Media Player1.5.1.820affected

Weaknesses

  • CWE-73: CWE-73 External Control of File Name or Path

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References