CVE-2020-36920

iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cxsecurity.com/issue/WLB-2020110025
https://exchange.xforce.ibmcloud.com/vulnerabilities/191260
https://packetstorm.news/files/id/159918
https://web.archive.org/web/20200919100215/http://www.yerootech.com/
https://www.exploit-db.com/exploits/48992
https://www.vulncheck.com/advisories/ids-dsspro-digital-signage-system-privilege-escalation-via-access-control
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php
https://www.exploit-db.com/exploits/48992

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) iDS6 DSSPro Digital Signage System 6.2 contiene una vulnerabilidad de control de acceso inadecuado que permite a los usuarios autenticados elevar privilegios a través de funciones JavaScript de consola. Los atacantes pueden crear usuarios, modificar roles y permisos, y potencialmente lograr el control total de la aplicación explotando referencias directas a objetos inseguras.

06 Jan 2026, 20:15

Type	Values Removed	Values Added
References	~~() https://www.exploit-db.com/exploits/48992 -~~	() https://www.exploit-db.com/exploits/48992 -

06 Jan 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-06 16:15

Updated : 2026-04-15 00:35

NVD link : CVE-2020-36920

Mitre link : CVE-2020-36920

CVE.ORG link : CVE-2020-36920

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2020-36920", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-06T16:15:48.250", "references": [{"url": "https://cxsecurity.com/issue/WLB-2020110025", "source": "disclosure@vulncheck.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191260", "source": "disclosure@vulncheck.com"}, {"url": "https://packetstorm.news/files/id/159918", "source": "disclosure@vulncheck.com"}, {"url": "https://web.archive.org/web/20200919100215/http://www.yerootech.com/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/48992", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/ids-dsspro-digital-signage-system-privilege-escalation-via-access-control", "source": "disclosure@vulncheck.com"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/48992", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references."}, {"lang": "es", "value": "iDS6 DSSPro Digital Signage System 6.2 contiene una vulnerabilidad de control de acceso inadecuado que permite a los usuarios autenticados elevar privilegios a trav\u00e9s de funciones JavaScript de consola. Los atacantes pueden crear usuarios, modificar roles y permisos, y potencialmente lograr el control total de la aplicaci\u00f3n explotando referencias directas a objetos inseguras."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "disclosure@vulncheck.com"}