← Advisories

iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery (CSRF)

Medium

Advisory ID

ZSL-2020-5606

Release Date

04 November 2020

Vendor

Guangzhou Yeroo Tech Co., Ltd. - http://www.yerootech.com

Affected Version

V6.2 B2014.12.12.1220, V5.6 B2017.07.12.1757, V4.3

CVE

CVE-2020-36918

Tested On

Microsoft Windows XP, Microsoft Windows 7, Microsfot Windows Server 2008, Microsoft Windows Server 2012, Microsoft Windows 10, Apache Tomcat/8.0.44, Apache Tomcat/6.0.35, Apache-Coyote/1.1, Apache Axis/1.4, MySQL 5.5.25, Java 1.8.0

Summary

iDS6 Software's DSSPro network digital signage management system is a web-based server software solution for Windows.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

dsspro_csrf.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/159916

[2]https://www.exploit-db.com/exploits/48990

[3]https://cxsecurity.com/issue/WLB-2020110022

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/191258

[5]https://www.cve.org/CVERecord?id=CVE-2020-36918

Changelog

04.11.2020Initial release

11.11.2020Added reference [1], [2], [3] and [4]

24.03.2026Added reference [5]