CVE-2020-36923 | THREATINT

Description

Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions.

PUBLISHED Reserved 2026-01-03 | Published 2026-01-06 | Updated 2026-01-06 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Authorization Bypass Through User-Controlled Key

Product status

<=1.7.8

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5611.php exploit

www.zeroscience.mk/codes/sonybravia_idor.txt exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5611.php (Zero Science Lab Disclosure (ZSL-2020-5611)) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/192607 (IBM X-Force Exchange Vulnerability Entry) vdb-entry

cxsecurity.com/issue/WLB-2020120031 (CXSecurity Vulnerability Listing) third-party-advisory

packetstormsecurity.com/files/160344 (Packet Storm Security Exploit Archive) exploit

pro.sony/ue_US/products/display-software (Sony Professional Display Software Product Page) product

pro-bravia.sony.net/resources/software/bravia-signage/ (BRAVIA Signage Software Resources) product

pro-bravia.sony.net (Sony BRAVIA Digital Signage Official Homepage) product

www.vulncheck.com/...-client-side-protection-bypass-via-idor (VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR) third-party-advisory

cve.org (CVE-2020-36923)

nvd.nist.gov (CVE-2020-36923)

Download JSON