CVE-2020-36924 | THREATINT

Description

Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. Attackers can exploit this vulnerability to hijack user sessions, execute cross-site scripting code, and modify display content by manipulating the input material type.

PUBLISHED Reserved 2026-01-03 | Published 2026-01-06 | Updated 2026-01-26 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Inclusion of Functionality from Untrusted Control Sphere

Product status

Any version

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/49186 (ExploitDB-49186) exploit

pro-bravia.sony.net (Sony BRAVIA Digital Signage Product Homepage) product

pro-bravia.sony.net/resources/software/bravia-signage/ (BRAVIA Signage Software Resources) product

pro.sony/ue_US/products/display-software (Sony Professional Display Software Product Page) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php (Zero Science Lab Disclosure (ZSL-2020-5612)) third-party-advisory

packetstorm.news/files/id/160345 (Packet Storm Security Exploit Archive) exploit

exchange.xforce.ibmcloud.com/vulnerabilities/192605 (IBM X-Force Exchange Vulnerability Entry) vdb-entry

cxsecurity.com/issue/WLB-2020120030 (CXSecurity Vulnerability Listing) exploit

www.vulncheck.com/...e-unauthenticated-remote-file-inclusion (VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion) third-party-advisory

cve.org (CVE-2020-36924)

nvd.nist.gov (CVE-2020-36924)

Download JSON