CVE-2020-36876
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: VulnCheck

Description
ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36876
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
request serious_play_f3_media_server 6.4.2.4681
request serious_play_f3_media_server 7.0.2.4954
request serious_play_f3_media_server 6.5.2.4954
request serious_play_f3_media_server 2.0.1.823
request serious_play_f3_media_server 7.0.3.4968
request serious_play_f3_media_server 6.3.2.4203
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in ReQuest Serious Play F3 Media Server allows unauthenticated attackers to access the webserver's Python debug log file by visiting the message_log page. The log file contains sensitive system information such as credentials, file paths, running processes, and command arguments, which can be disclosed without any authentication.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information including credentials and system details. This can enable attackers to gain insights into the system's configuration and potentially facilitate further attacks or unauthorized access.

Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive information such as credentials, system details, file paths, running processes, and command arguments from the debug log file. This exposure of sensitive data could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. However, the provided resources do not explicitly discuss the impact on compliance with these standards. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by attempting to access the /message_log page on the ReQuest Serious Play F3 Media Server's web interface without authentication. If accessible, the page will disclose the Python debug log file containing sensitive system information. A simple detection command using curl would be: curl http://<target-ip>/message_log -i. If the response contains debug log data including system details, credentials, or running processes, the system is vulnerable. [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /message_log page by implementing authentication and access controls on the web management interface. If possible, disable or remove the debug log exposure feature. Additionally, update or patch the ReQuest Serious Play F3 Media Server to a version where this vulnerability is fixed, or apply vendor-recommended security updates. Monitoring and blocking unauthorized access attempts to the web server can also help reduce risk. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart