PT-2025-50508 · Brightsign · Brightsign Digital Signage Diagnostic Web Server
Published
2025-12-10
·
Updated
2025-12-11
·
CVE-2020-36884
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
BrightSign Digital Signage Diagnostic Web Server versions 8.2.26 and earlier
Description
The software contains an unauthenticated server-side request forgery issue. This affects the 'url' GET parameter within the Download Speed Test service. An attacker can specify external domains, potentially bypassing firewalls and performing network enumeration. This is achieved by forcing the application to make arbitrary HTTP requests to internal network hosts. The vulnerable parameter is
url.Recommendations
Versions prior to 8.2.26 should be updated.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Brightsign Digital Signage Diagnostic Web Server