← Back to CVEs

CVE-2020-36897

CRITICAL

9.8

Description

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published12/10/2025

Last Modified12/17/2025

Sourcenvd

Honeypot Sightings0

Affected Products

howfor:qihang_media_web_digital_signage

Weaknesses (CWE)

CWE-434

References

http://www.howfor.com(disclosure@vulncheck.com)

https://www.exploit-db.com/exploits/48751(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-remote-code-execution(disclosure@vulncheck.com)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php(disclosure@vulncheck.com)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.