CVE-2020-36921
Information Disclosure in RED-V Super Digital Signage
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red-v | super_digital_signage_system | 5.1.1 |
| red-v | rxv-a740r | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-548 | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36921 is an information disclosure vulnerability in the RED-V Super Digital Signage System version 5.1.1, specifically affecting the RXV-A740R model. It allows unauthenticated attackers to access sensitive webserver log files by visiting multiple endpoints without needing to authenticate. These log files contain system resources and debug information, exposing critical internal details about the device's operation. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive system resources and debug information to unauthenticated attackers. The exposed log files may reveal critical internal details about the device's operation, which could be used to facilitate further attacks or compromise the system's security and integrity. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the exposed log file endpoints on the RED-V Super Digital Signage System webserver without authentication. Specifically, you can try to retrieve log files such as /downloader.log, /launcher.log, /player.log, and their date-stamped variants by sending HTTP requests to the device's webserver, typically accessible on port 8080. For example, you can use curl commands like: curl http://<device-ip>:8080/downloader.log curl http://<device-ip>:8080/launcher.log curl http://<device-ip>:8080/player.log If these requests return log file contents without requiring authentication, the system is vulnerable. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the exposed log file endpoints by implementing authentication controls on the webserver to prevent unauthenticated access. Additionally, updating the RED-V Super Digital Signage System to a patched version released by the vendor that addresses this vulnerability is recommended. Until a patch is applied, network-level controls such as firewall rules to block external access to the device's webserver port (e.g., port 8080) can reduce exposure. [2, 4]