← Advisories

Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure

Medium

Advisory ID

ZSL-2020-5610

Release Date

02 December 2020

Vendor

Sony Electronics Inc. - https://pro.sony

Affected Version

<=1.7.8

CVE

CVE-2020-36922

Tested On

Microsoft Windows Server 2012 R2, Ubuntu, NodeJS, Express

Summary

Sony's BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments.

Description

The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several API endpoints and disclose information running on the device.

Proof of Concept

sonybravia_sysinfo.txtTXT

Disclosure Timeline

20.09.2020Vulnerability discovered.

15.10.2020Submitted to Sony via Hackerone.

20.11.2020Vendor states that the vulnerabilities are just informative and that all the issues are working as intended.

02.12.2020Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/49187

[2]https://packetstormsecurity.com/files/160343

[3]https://cxsecurity.com/issue/WLB-2020120028

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/192606

[5]https://www.cve.org/CVERecord?id=CVE-2020-36922

Changelog

02.12.2020Initial release

17.02.2020Added reference [1], [2], [3] and [4]

24.03.2026Added reference [5]