← Advisories

RED-V Super Digital Signage System RXV-A740R Log Information Disclosure

Medium
Advisory ID
ZSL-2020-5609
Release Date
15 November 2020
Vendor
RED-V S.R.L. - https://www.red-v.tv
Affected Version
Model name: RXV-A740R, Android version: 5.1.1, Firmware version: 026, Player version: 7.8.6, Downloader version: 7.5.2, Launcher version: 6.8.8
CVE
CVE-2020-36921
Tested On
Apache Struts
Summary

RED-V Super Digital Signage transforms simple screens into customized TV channels, delivering audiovisual communication as immersive user experiences. It is the final blending of years of know-how in multimedia, mobile and web experience, tablet and multimedia server design.

Description

The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several endpoints and disclose the webserver's log file list containing sensitive system resources and debug log information running on the device.

Proof of Concept
red-v_supersignage.txtTXT
Disclosure Timeline
26.10.2020Vulnerability discovered.
09.11.2020Vendor contacted.
09.11.2020Vendor responds asking more details.
09.11.2020Sent details to the vendor. Asked for confirmation and scheduled patch release date.
09.11.2020Vendor confirms the issue working on fix. [10.11.2020[ Vendor will release an update to block access to those files if not authenticated.
15.11.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/160073
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/191803
[3]https://cxsecurity.com/issue/WLB-2020110130
[4]https://www.cve.org/CVERecord?id=CVE-2020-36921
Changelog
15.11.2020Initial release
02.12.2020Added reference [1], [2] and [3]
24.03.2026Added reference [4]