CVE-2020-36897 PUBLISHED

QiHang Media Web Digital Signage 3.0.9 Unauthenticated Remote Code Execution

Assigner: VulnCheck
Reserved: 09.12.2025 Published: 10.12.2025 Updated: 11.12.2025

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd.
Product QiHang Media Web Digital Signage
Versions Default: unaffected
  • Version 3.0.9 is affected

Credits

  • LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

Problem Types

  • CWE-434: Unrestricted Upload of File with Dangerous Type CWE