CVE-2019-20354

Name of the Vulnerable Software and Affected Versions piSignage versions prior to 2.6.4

Description The issue allows a remote attacker, authenticated as a low-privilege user, to download arbitrary files from the Raspberry Pi. This is achieved through a path traversal vulnerability in the "api/settings/log" endpoint, specifically by manipulating the file parameter with a "../" sequence. The vulnerability is located in the player API for log download.

Recommendations For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "api/settings/log" endpoint or disabling the log download feature until a patch is applied. Avoid using the file parameter in the affected API endpoint until the issue is resolved.