Cayin CMS
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36910 | Hig | 0.57 | 8.8 | 0.01 | Jan 6, 2026 | Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. | ||
| CVE-2020-7357 | 0.06 | — | 0.34 | Aug 6, 2020 | Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue… | |||
| CVE-2020-7356 | 0.04 | — | 0.14 | Aug 6, 2020 | CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate… | |||
| CVE-2020-6954 | 0.00 | — | 0.01 | Jan 13, 2020 | An issue was discovered on Cayin SMP-PRO4 devices. A user can discover a saved password by viewing the URL after a Connection String Test. This password is shown in the webpass parameter of a media_folder.cgi?apply_mode=ping_server URI. | |||
| CVE-2020-6955 | 0.00 | — | 0.01 | Jan 13, 2020 | An issue was discovered on Cayin SMP-PRO4 devices. They allow image_preview.html?filename= reflected XSS. |
- risk 0.57cvss 8.8epss 0.01
Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root.
- CVE-2020-7357Aug 6, 2020risk 0.06cvss —epss 0.34
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue…
- CVE-2020-7356Aug 6, 2020risk 0.04cvss —epss 0.14
CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate…
- CVE-2020-6954Jan 13, 2020risk 0.00cvss —epss 0.01
An issue was discovered on Cayin SMP-PRO4 devices. A user can discover a saved password by viewing the URL after a Connection String Test. This password is shown in the webpass parameter of a media_folder.cgi?apply_mode=ping_server URI.
- CVE-2020-6955Jan 13, 2020risk 0.00cvss —epss 0.01
An issue was discovered on Cayin SMP-PRO4 devices. They allow image_preview.html?filename= reflected XSS.