CVE-2020-36898

Name of the Vulnerable Software and Affected Versions QiHang Media Web Digital Signage version 3.0.9

Description The software contains an unauthenticated file deletion issue. Remote attackers can delete files without needing to log in. This is possible through the QH.aspx endpoint by manipulating the data parameter in a POST request. Attackers can use directory traversal sequences to delete arbitrary files with the permissions of the web server.

Recommendations Apply any available updates to address this issue. As a temporary workaround, restrict access to the QH.aspx endpoint. Carefully validate and sanitize the data parameter to prevent directory traversal attempts.