iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management

Advisories

severity: medium
date: January 5, 2026
Affecting: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
CVE: CVE-2020-36918
CWE: CWE-352 Cross-Site Request Forgery (CSRF)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-48990
Zero Science Lab Disclosure (ZSL-2020-5606)
Archived Yeroo Tech Vendor Homepage
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database Entry
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the lack of CSRF protections.