CVE-2020-36898

Опубликовано: 10 дек. 2025

Источник: nvd

CVSS3: 9.1

EPSS Средний

Описание

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the 'data' parameter by sending a POST request with file paths to delete arbitrary files with web server permissions using directory traversal sequences.

Ссылки

http://www.howfor.com
Product
https://www.exploit-db.com/exploits/48749
Exploit
Third Party Advisory
VDB Entry
https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-arbitrary-file-deletion
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
Exploit
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:howfor:qihang_media_web_digital_signage:3.0.9:*:*:*:*:*:*:*

EPSS

Процентиль: 95%

0.1598

Средний

9.1 Critical

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-wc7f-fvgq-374p