CVE-2020-36918
CSRF Vulnerability in iDS6 DSSPro Allows Unauthorized Admin Actions
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | 6.2 |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | 5.6 |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | 4.3 |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | From 6.2 B2014.12.12.1220 (inc) |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | From 5.6 B2017.07.12.1757 (inc) |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | to 6.2 B2014.12.12.1220 (exc) |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | to 5.6 B2017.07.12.1757 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36918 is a Cross-Site Request Forgery (CSRF) vulnerability in the iDS6 DSSPro Digital Signage System version 6.2. It allows attackers to perform unauthorized administrative actions by exploiting the lack of request validation in the system's web interface. Specifically, attackers can trick logged-in administrators into visiting malicious web pages that cause the system to add unauthorized users without the administrators' consent or knowledge. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to perform administrative actions on the affected system without proper authorization. For example, an attacker can add unauthorized users with administrative privileges if a logged-in administrator visits a malicious website. This can lead to unauthorized access, potential misuse of the system, and compromise of administrative controls. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized administrative actions performed without proper request validation, especially POST requests to endpoints like /Pages/user!addUser that add users. Since the vulnerability is a CSRF allowing unauthorized user creation via crafted HTTP requests, you can detect suspicious POST requests to user management URLs from unusual sources or without valid CSRF tokens. Network monitoring tools or web server logs can be used to identify such requests. Specific commands are not provided in the resources, but inspecting web server access logs for POST requests to user management endpoints and verifying the presence or absence of CSRF tokens in requests can help detect exploitation attempts. [1, 2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF protections in the iDS6 DSSPro Digital Signage System, such as adding CSRF tokens to validate the authenticity of administrative requests. Additionally, restricting administrative access to trusted networks, educating administrators to avoid visiting untrusted websites while logged in, and applying any available patches or updates from the vendor can reduce risk. Since the vulnerability allows unauthorized administrative actions via crafted web pages, preventing such requests from being accepted without validation is critical. [1, 2, 3, 4]