CVE-2017-20220
Improper Access Control in Serviio PRO 1.8 Allows Password Change
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| six_lines_ltd | serviio_pro | to 1.8.0.0 (inc) |
| six_lines_ltd | serviio_pro | 1.7.1 |
| six_lines_ltd | serviio_pro | 1.7.0 |
| six_lines_ltd | serviio_pro | 1.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2017-20220 is an improper access control vulnerability in Serviio PRO version 1.8 and earlier. It affects the Configuration REST API, which allows unauthenticated remote attackers to change the mediabrowser login password without any authentication.
Attackers exploit this by sending specially crafted HTTP PUT requests with an XML payload to the REST API endpoint `/rest/remote-access`. This payload includes a new password inside the `<remoteUserPassword>` tag along with other configuration parameters. Because the API does not enforce authentication, the attacker can arbitrarily modify the login credentials.
This vulnerability affects Serviio PRO running on Windows, Mac OS X, and Linux systems, and targets the default ports 23423 (console) and 23424 (mediabrowser).
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows a remote, unauthenticated attacker to change the mediabrowser login password, effectively gaining unauthorized access to the media server's protected interface."}, {'type': 'paragraph', 'content': 'Once the attacker changes the password, they can access and potentially manipulate media streaming configurations and data, bypassing security controls.'}, {'type': 'paragraph', 'content': 'Because the attacker does not need any prior credentials or privileges, this poses a high risk of unauthorized control over the affected system.'}] [1, 2, 3, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send a specially crafted HTTP PUT request to the Configuration REST API endpoint `/rest/remote-access` on the affected Serviio PRO server, typically running on ports 23423 (console) or 23424 (mediabrowser).'}, {'type': 'paragraph', 'content': 'The request should include an XML payload containing a new password inside the `<remoteUserPassword>` tag, along with other configuration parameters. The request must have the headers `Content-Type: application/xml` and `Accept: application/xml`.'}, {'type': 'paragraph', 'content': 'If the password can be changed without authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use a Python script or a tool like curl to send such a crafted PUT request and observe if the password is changed or if the server responds without requiring authentication.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability (replace <host> with target IP or hostname):'}, {'type': 'list_item', 'content': 'curl -X PUT http://<host>:23424/rest/remote-access -H "Content-Type: application/xml" -H "Accept: application/xml" -d \'<remoteAccess><remoteUserPassword>newpassword</remoteUserPassword><preferredRemoteDeliveryQuality>HIGH</preferredRemoteDeliveryQuality><portMappingEnabled>false</portMappingEnabled><externalAddress></externalAddress></remoteAccess>\''}, {'type': 'paragraph', 'content': 'If the server accepts this request and changes the password without authentication, it confirms the presence of the vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Serviio PRO Configuration REST API endpoints, especially `/rest/remote-access`, by implementing network-level controls such as firewall rules to limit access only to trusted hosts.
If possible, disable remote access to the mediabrowser interface or move it behind a VPN or secure network segment to prevent unauthenticated external access.
Monitor and audit access logs for any suspicious or unauthorized requests to the REST API endpoints.
Check for and apply any available patches or updates from the vendor that address this improper access control vulnerability.
As a temporary workaround, consider changing the mediabrowser login password manually and restricting access until a patch is applied.