CVE-2020-36877
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: VulnCheck

Description
ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36877
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
debian debian_gnu/linux 5.0
apache http_server 2.2.22
php php 5.4.45
request serious_play_f3_media_server 6.4.2.4681
request serious_play_f3_media_server 7.0.2.4954
request serious_play_f3_media_server 6.5.2.4954
request serious_play_f3_media_server 7.0.3
request serious_play_f3_media_server 2.0.1.823
apache http_server 2.2.9
php php 5.2.6-1
request serious_play_f3_media_server 6.3.2.4203
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable Quick File Uploader page at /tools/upload.html or /shared/upload.php on the ReQuest Serious Play F3 Media Server. One detection method involves verifying the presence of a specific string ("000000000000") in the /MP3/ directory listing on the server. Additionally, sending a crafted multipart/form-data POST request to upload a PHP file and checking the server response for the uploaded file can confirm vulnerability. A proof-of-concept Python3 script automates these steps, including verifying the target, uploading a PHP reverse shell payload, and confirming the upload. Network detection could involve monitoring for unusual POST requests to /tools/upload.html or /shared/upload.php containing PHP payloads. [1]

Executive Summary

This vulnerability exists in ReQuest Serious Play F3 Media Server 7.0.3 and allows an unauthenticated attacker to execute arbitrary commands on the server as the web server user. The attacker can upload PHP executable files through the Quick File Uploader page, which leads to remote code execution on the server.

Impact Analysis

This vulnerability can allow attackers to take control of the affected server by executing arbitrary commands remotely without authentication. This can lead to unauthorized access, data theft, server manipulation, or further attacks within the network.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling access to the Quick File Uploader pages (/tools/upload.html and /shared/upload.php) to prevent unauthenticated file uploads. Applying access controls or authentication to these endpoints can block unauthorized usage. Additionally, updating or patching the ReQuest Serious Play F3 Media Server to a version that addresses this vulnerability is recommended once available. Monitoring and blocking suspicious POST requests attempting to upload PHP files can also help reduce risk until a patch is applied. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart