EIBIZ i-Media Server Digital Signage 3.8.0 Unauthenticated Configuration Disclosure

Advisories

severity: high
date: December 10, 2025
Affecting: i-Media Server Digital Signage <= 3.8.0
CVE: CVE-2020-36895
CWE: CWE-639 Authorization Bypass Through User-Controlled Key
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-48764
EIBIZ Homepage
Zero Security Lab Disclosure (ZSL-2020-5583)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposing administrative credentials, database connection details, and system configuration information.