CVE-2020-36920
Improper Access Control in iDS6 DSSPro Enables Full Takeover
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | 6.2 |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | From 4.3 (inc) to 6.2 (inc) |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | 5.6 |
| guangzhou_yeroo_tech_co_ltd | ids6_dsspro_digital_signage_system | 4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36920 is an improper access control vulnerability in iDS6 DSSPro Digital Signage System version 6.2. Authenticated users can exploit this flaw by invoking JavaScript functions via the browser console or leveraging insecure direct object references to access hidden functionalities. This allows attackers to escalate their privileges by creating new users, modifying roles and permissions, and potentially taking full control of the application. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation where an authenticated user can bypass access controls to create users, modify roles and permissions, and potentially achieve full application takeover. This means an attacker could fully compromise the system, manipulate user accounts, and control the digital signage management software, leading to significant security risks. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if authenticated users can invoke JavaScript functions via the browser console to escalate privileges. Specifically, commands such as executing the JavaScript function `add()` on the Accounts->User or Accounts->Role pages can be tested. Additionally, sending POST requests to endpoints like `/Pages/user!addUser`, `/Pages/user!list`, `/Pages/role!add`, `/Pages/role!list`, `/Pages/role!updatePermissions`, `/Pages/user!updateRole`, and `/Pages/user!del` with appropriate parameters can help detect if privilege escalation is possible. Testing with known default credentials (e.g., admin:123456) can also help identify vulnerable instances. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected iDS6 DSSPro Digital Signage System to trusted users only, changing default credentials to strong, unique passwords, and disabling or restricting the use of browser console JavaScript functions that allow privilege escalation. Applying any available patches or updates from the vendor is recommended. Additionally, monitoring and auditing user roles and permissions regularly to detect unauthorized changes can help mitigate exploitation. [2, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.