CVE-2020-36902

Summary

UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super admin rights without authentication.

Affected Software

VendorProductVersion RangeStatus
UBICOD Co., Ltd.MEDIVISION INC.UBICOD Medivision Digital SignageFirmware 1.5.1 (2013.01.3)

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

References