CVE-2020-36920
Unknown Unknown - Not Provided
Improper Access Control in iDS6 DSSPro Enables Full Takeover

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: VulnCheck

Description
iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36920
EUVD
EUVD-2026-1019
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system 6.2
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system From 4.3 (inc) to 6.2 (inc)
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system 5.6
guangzhou_yeroo_tech_co_ltd ids6_dsspro_digital_signage_system 4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-36920 is an improper access control vulnerability in iDS6 DSSPro Digital Signage System version 6.2. Authenticated users can exploit this flaw by invoking JavaScript functions via the browser console or leveraging insecure direct object references to access hidden functionalities. This allows attackers to escalate their privileges by creating new users, modifying roles and permissions, and potentially taking full control of the application. [1, 2, 3, 4]

Impact Analysis

This vulnerability can lead to privilege escalation where an authenticated user can bypass access controls to create users, modify roles and permissions, and potentially achieve full application takeover. This means an attacker could fully compromise the system, manipulate user accounts, and control the digital signage management software, leading to significant security risks. [1, 2, 3, 4]

Detection Guidance

This vulnerability can be detected by verifying if authenticated users can invoke JavaScript functions via the browser console to escalate privileges. Specifically, commands such as executing the JavaScript function `add()` on the Accounts->User or Accounts->Role pages can be tested. Additionally, sending POST requests to endpoints like `/Pages/user!addUser`, `/Pages/user!list`, `/Pages/role!add`, `/Pages/role!list`, `/Pages/role!updatePermissions`, `/Pages/user!updateRole`, and `/Pages/user!del` with appropriate parameters can help detect if privilege escalation is possible. Testing with known default credentials (e.g., admin:123456) can also help identify vulnerable instances. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected iDS6 DSSPro Digital Signage System to trusted users only, changing default credentials to strong, unique passwords, and disabling or restricting the use of browser console JavaScript functions that allow privilege escalation. Applying any available patches or updates from the vendor is recommended. Additionally, monitoring and auditing user roles and permissions regularly to detect unauthorized changes can help mitigate exploitation. [2, 4]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36920. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart