9.1
CVE-2020-36898
- EPSS 1.52%
- Veröffentlicht 10.12.2025 21:16:02
- Zuletzt bearbeitet 17.12.2025 19:16:28
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginQiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion
QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the 'data' parameter by sending a POST request with file paths to delete arbitrary files with web server permissions using directory traversal sequences.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Howfor ≫ Qihang Media Web Digital Signage Version3.0.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.52% | 0.713 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
|
| disclosure@vulncheck.com | 8.8 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
http://www.howfor.com
https://www.exploit-db.com/exploits/48749
https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-arbitrary-file-deletion
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php