CVE-2020-36918

Vulnerability in iDS6

DSSPro Digital Signage System 6.2 arises from a missing cross-site request forgery (CSRF) protection mechanism. The application interface processes HTTP requests without validating their origin, enabling attackers to craft malicious web pages that perform actions on behalf of an authenticated administrator [1][3][4].

To exploit this, an attacker must trick a logged-in administrator into visiting a specially crafted page. The exploit example demonstrates a form that automatically submits a POST request to the /Pages/user!addUser endpoint, adding a new user with attacker-controlled credentials [3][3][4]. No additional authentication or session token is required beyond the victim's active session.

Successful exploitation allows an attacker to perform administrative actions, such as creating unauthorized user accounts, without the administrator's knowledge or consent. This can lead to unauthorized access to the digital signage management system and potential compromise of the entire system [1][3][4].

As of the advisory publication date (July 2020), the vendor had not released a patch for the affected versions (CVSS 4.3) vulnerability. Users are advised to implement additional security controls, such as CSRF tokens or same-site cookie attributes, and to restrict access to the management interface [1][3].