← Advisories

Plexus anblick Digital Signage Management 3.1.13 (pagina param) Open Redirect

Low

Advisory ID

ZSL-2020-5573

Release Date

19 July 2020

Vendor

Plexus - https://www.plexus.es

Affected Version

3.1.13

CVE

CVE-2020-36912

Tested On

Apache Tomcat/6.0.20, Apache-Coyote/1.1

Summary

Advanced multiplatform digital signage solution. Reproduction of multimedia content in a visual and impressive way. Adaptable to any use and to various types of screen or display.

Description

Input passed via the 'pagina' GET parameter in 'PantallaLogin' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Proof of Concept

anblick_redirect.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/158473

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/185521

[3]https://www.cve.org/CVERecord?id=CVE-2020-36912

Changelog

19.07.2020Initial release

24.07.2020Added reference [1] and [2]

24.03.2026Added reference [3]