CVE-2020-36894

Name of the Vulnerable Software and Affected Versions Eibiz i-Media Server Digital Signage version 3.8.0

Description The software contains an authentication bypass that allows unauthenticated attackers to create administrative users. This is achieved through manipulation of AMF-encoded objects sent to the /messagebroker/amf API endpoint. Attackers can bypass security controls and create admin users without needing to authenticate. The vulnerability involves sending crafted serialized objects to the specified endpoint.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /messagebroker/amf API endpoint.