Home

Description

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Missing Authentication for Critical Function

Product status

1.8.0.0 PRO
affected

1.7.1
affected

1.7.0
affected

1.6.1
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php (Zero Science Lab Disclosure) third-party-advisory

blogs.securiteam.com/index.php/archives/3094 (SecuriTeam Blogs) third-party-advisory

www.exploit-db.com/exploits/41960/ (Exploit-DB) exploit

packetstormsecurity.com/files/142386 (Packet Storm Security) exploit

cxsecurity.com/issue/WLB-2017050025 (CXSecurity) third-party-advisory

www.securitylab.ru/poc/486047.php (SecurityLab) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/125645 (IBM X-Force Exchange) vdb-entry

www.vulncheck.com/...henticated-password-change-via-rest-api (VulnCheck Advisory: Serviio PRO 1.8 Unauthenticated Password Change via REST API) third-party-advisory

cve.org (CVE-2017-20220)

nvd.nist.gov (CVE-2017-20220)

Download JSON