CVE-2020-36877
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2020-36877, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: VulnCheck

Description

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-07-06
AI Q&A
2025-12-10
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
debian debian_gnu/linux 5.0
apache http_server 2.2.22
php php 5.4.45
request serious_play_f3_media_server 6.4.2.4681
request serious_play_f3_media_server 7.0.2.4954
request serious_play_f3_media_server 6.5.2.4954
request serious_play_f3_media_server 7.0.3
request serious_play_f3_media_server 2.0.1.823
apache http_server 2.2.9
php php 5.2.6-1
request serious_play_f3_media_server 6.3.2.4203

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable Quick File Uploader page at /tools/upload.html or /shared/upload.php on the ReQuest Serious Play F3 Media Server. One detection method involves verifying the presence of a specific string ("000000000000") in the /MP3/ directory listing on the server. Additionally, sending a crafted multipart/form-data POST request to upload a PHP file and checking the server response for the uploaded file can confirm vulnerability. A proof-of-concept Python3 script automates these steps, including verifying the target, uploading a PHP reverse shell payload, and confirming the upload. Network detection could involve monitoring for unusual POST requests to /tools/upload.html or /shared/upload.php containing PHP payloads. [1]

Executive Summary

This vulnerability exists in ReQuest Serious Play F3 Media Server 7.0.3 and allows an unauthenticated attacker to execute arbitrary commands on the server as the web server user. The attacker can upload PHP executable files through the Quick File Uploader page, which leads to remote code execution on the server.

Impact Analysis

This vulnerability can allow attackers to take control of the affected server by executing arbitrary commands remotely without authentication. This can lead to unauthorized access, data theft, server manipulation, or further attacks within the network.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling access to the Quick File Uploader pages (/tools/upload.html and /shared/upload.php) to prevent unauthenticated file uploads. Applying access controls or authentication to these endpoints can block unauthorized usage. Additionally, updating or patching the ReQuest Serious Play F3 Media Server to a version that addresses this vulnerability is recommended once available. Monitoring and blocking suspicious POST requests attempting to upload PHP files can also help reduce risk until a patch is applied. [1, 2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart