CVE-2020-36876
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| request | serious_play_f3_media_server | 6.4.2.4681 |
| request | serious_play_f3_media_server | 7.0.2.4954 |
| request | serious_play_f3_media_server | 6.5.2.4954 |
| request | serious_play_f3_media_server | 2.0.1.823 |
| request | serious_play_f3_media_server | 7.0.3.4968 |
| request | serious_play_f3_media_server | 6.3.2.4203 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in ReQuest Serious Play F3 Media Server allows unauthenticated attackers to access the webserver's Python debug log file by visiting the message_log page. The log file contains sensitive system information such as credentials, file paths, running processes, and command arguments, which can be disclosed without any authentication.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information including credentials and system details. This can enable attackers to gain insights into the system's configuration and potentially facilitate further attacks or unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive information such as credentials, system details, file paths, running processes, and command arguments from the debug log file. This exposure of sensitive data could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. However, the provided resources do not explicitly discuss the impact on compliance with these standards. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the /message_log page on the ReQuest Serious Play F3 Media Server's web interface without authentication. If accessible, the page will disclose the Python debug log file containing sensitive system information. A simple detection command using curl would be: curl http://<target-ip>/message_log -i. If the response contains debug log data including system details, credentials, or running processes, the system is vulnerable. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /message_log page by implementing authentication and access controls on the web management interface. If possible, disable or remove the debug log exposure feature. Additionally, update or patch the ReQuest Serious Play F3 Media Server to a version where this vulnerability is fixed, or apply vendor-recommended security updates. Monitoring and blocking unauthorized access attempts to the web server can also help reduce risk. [1, 2, 3]