CVE-2020-36902

Name of the Vulnerable Software and Affected Versions UBICOD Medivision Digital Signage version 1.5.1

Description A flaw exists in UBICOD Medivision Digital Signage that allows normal users to gain elevated privileges. This is achieved by manipulating the ft[grp] parameter. Specifically, sending a GET request to the '/html/user' API endpoint with the ft[grp] parameter set to the integer value '3' allows attackers to obtain super admin rights without authentication.

Recommendations Apply any available updates to address the authorization bypass issue. As a temporary workaround, restrict access to the '/html/user' API endpoint. Avoid using the ft[grp] parameter with a value of '3'.