CVE-2020-36899 PUBLISHED

QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Disclosure

Assigner: VulnCheck
Reserved: 09.12.2025 Published: 10.12.2025 Updated: 11.12.2025

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters. Attackers can exploit the QH.aspx endpoint to read arbitrary files and directory contents without authentication by manipulating download and getAll actions.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd.
Product QiHang Media Web Digital Signage
Versions Default: unaffected
  • Version 3.0.9.0 is affected

Credits

  • LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

Problem Types

  • CWE-530: Exposure of Backup File to an Unauthorized Control Sphere CWE