← Advisories

iDS6 DSSPro Digital Signage System 6.2 (autoSave) Cookie User Password Disclosure

Medium

Advisory ID

ZSL-2020-5605

Release Date

04 November 2020

Vendor

Guangzhou Yeroo Tech Co., Ltd. - http://www.yerootech.com

Affected Version

V6.2 B2014.12.12.1220, V5.6 B2017.07.12.1757, V4.3

CVE

CVE-2020-36917

Tested On

Microsoft Windows XP, Microsoft Windows 7, Microsfot Windows Server 2008, Microsoft Windows Server 2012, Microsoft Windows 10, Apache Tomcat/8.0.44, Apache Tomcat/6.0.35, Apache-Coyote/1.1, Apache Axis/1.4, MySQL 5.5.25, Java 1.8.0

Summary

iDS6 Software's DSSPro network digital signage management system is a web-based server software solution for Windows.

Description

The application suffers from a cleartext transmission/storage of sensitive information in a cookie when using the Remember (autoSave=true) feature. This allows a remote attacker to intercept the HTTP Cookie authentication credentials via a man-in-the-middle attack.

Proof of Concept

dsspro_cookie.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/159915

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/191261

[3]https://cxsecurity.com/issue/WLB-2020110023

[4]https://www.cve.org/CVERecord?id=CVE-2020-36917

Changelog

04.11.2020Initial release

11.11.2020Added reference [1], [2] and [3]

24.03.2026Added reference [4]