CVE-2020-36895

Description

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposing administrative credentials, database connection details, and system configuration information.

PUBLISHED Reserved 2025-12-09 | Published 2025-12-10 | Updated 2025-12-11 | Assigner VulnCheck

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5583.php exploit

www.exploit-db.com/exploits/48764 (ExploitDB-48764) exploit

www.eibiz.co.th (EIBIZ Co.,Ltd. Product Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5583.php (Zero Security Advisory ZSL-2020-5583) vendor-advisory vdb-entry

www.vulncheck.com/...nauthenticated-configuration-disclosure (VulnCheck Advisory: EIBIZ i-Media Server Digital Signage 3.8.0 Unauthenticated Configuration Disclosure) third-party-advisory

cve.org (CVE-2020-36895)

nvd.nist.gov (CVE-2020-36895)

Download JSON