Home

Description

ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page.

PUBLISHED Reserved 2025-12-05 | Published 2025-12-05 | Updated 2025-12-05 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-532 Insertion of Sensitive Information into Log File

Product status

Default status
unknown

7.0.3.4968
affected

Default status
unknown

7.0.2.4954
affected

6.5.2.4954
affected

6.4.2.4681
affected

6.3.2.4203
affected

2.0.1.823
affected

Credits

Gjoko 'LiquidWorm' Krstic finder

References

www.exploit-db.com/exploits/48950 (Exploit Database Entry 48950) exploit

request.com/ (Software Link) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php (Advisory URL) vendor-advisory

www.vulncheck.com/...lay-f-media-server-debug-log-disclosure third-party-advisory

cve.org (CVE-2020-36876)

nvd.nist.gov (CVE-2020-36876)