4
CVSSv2

CVE-2019-20354

Published: 06/01/2020 Updated: 14/01/2020
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Vulnerability Summary

The web application component of piSignage prior to 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download.

Vulnerability Trend

Affected Products

Vendor Product Versions
PisignagePisignage0.7.5, 0.8.8, 0.8.9, 1.0.0, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.2, 1.6.3, 1.7.2, 1.7.4, 1.7.5, 1.7.6, 1.7.8, 1.7.9, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.5a, 1.9.6, 1.9.6a, 1.9.7, 1.9.7b, 1.9.7c, 1.9.7d, 1.9.7f, 1.9.8, 1.9.8a, 1.9.8b, 1.9.8c, 1.9.9, 1.9.9b, 1.9.9d, 2.0.0, 2.0.1, 2.0.2, 2.0.3a, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.2, 2.6.3

Mailing Lists

piSignage version 264 suffers from a directory traversal vulnerability ...