CVE-2020-36918
Unknown Unknown - Not Provided
CSRF Vulnerability in iDS6 DSSPro Allows Unauthorized Admin Actions

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: VulnCheck

Description
iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the lack of CSRF protections.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36918
EUVD
EUVD-2026-1018
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system 6.2
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system 5.6
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system 4.3
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system From 6.2 B2014.12.12.1220 (inc)
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system From 5.6 B2017.07.12.1757 (inc)
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system to 6.2 B2014.12.12.1220 (exc)
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system to 5.6 B2017.07.12.1757 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-36918 is a Cross-Site Request Forgery (CSRF) vulnerability in the iDS6 DSSPro Digital Signage System version 6.2. It allows attackers to perform unauthorized administrative actions by exploiting the lack of request validation in the system's web interface. Specifically, attackers can trick logged-in administrators into visiting malicious web pages that cause the system to add unauthorized users without the administrators' consent or knowledge. [1, 2, 3, 4]

Impact Analysis

This vulnerability can impact you by allowing remote attackers to perform administrative actions on the affected system without proper authorization. For example, an attacker can add unauthorized users with administrative privileges if a logged-in administrator visits a malicious website. This can lead to unauthorized access, potential misuse of the system, and compromise of administrative controls. [1, 2, 3, 4]

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized administrative actions performed without proper request validation, especially POST requests to endpoints like /Pages/user!addUser that add users. Since the vulnerability is a CSRF allowing unauthorized user creation via crafted HTTP requests, you can detect suspicious POST requests to user management URLs from unusual sources or without valid CSRF tokens. Network monitoring tools or web server logs can be used to identify such requests. Specific commands are not provided in the resources, but inspecting web server access logs for POST requests to user management endpoints and verifying the presence or absence of CSRF tokens in requests can help detect exploitation attempts. [1, 2, 4]

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protections in the iDS6 DSSPro Digital Signage System, such as adding CSRF tokens to validate the authenticity of administrative requests. Additionally, restricting administrative access to trusted networks, educating administrators to avoid visiting untrusted websites while logged in, and applying any available patches or updates from the vendor can reduce risk. Since the vulnerability allows unauthorized administrative actions via crafted web pages, preventing such requests from being accepted without validation is critical. [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart