Advertisement






Sony BRAVIA Digital Signage 1.7.8 Insecure Direct Object Reference

CVE Category Price Severity
CVE-2021-5785 CWE-639 $5,000 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-12-04
CVSS EPSS EPSSP
CVSS:4.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120031

Below is a copy:

Sony BRAVIA Digital Signage 1.7.8 Insecure Direct Object Reference
Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass / IDOR


Vendor: Sony Electronics Inc.
Product web page: https://pro-bravia.sony.net
                  https://pro-bravia.sony.net/resources/software/bravia-signage/
                  https://pro.sony/ue_US/products/display-software
Affected version: <=1.7.8

Summary: Sony's BRAVIA Signage is an application to deliver
video and still images to Pro BRAVIAs and manage the information
via a network. Features include management of displays, power
schedule management, content playlists, scheduled delivery
management, content interrupt, and more. This cost-effective
digital signage management solution is ideal for presenting
attractive, informative visual content in retail spaces and
hotel reception areas, visitor attractions, educational and
corporate environments.

Desc: Insecure direct object references occur when an application
provides direct access to objects based on user-supplied input.
As a result of this vulnerability attackers can bypass authorization
and access the hidden '/#/content-creation' resource in the system.

Tested on: Microsoft Windows Server 2012 R2
           Ubuntu
           NodeJS
           Express


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5611
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5611.php


20.09.2020

--


http://192.168.1.20:8080/#/content-creation

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum