ReQuest Serious Play F3 Media Server <= 7.0.3 Debug Log Disclosure

Advisories

severity: high
date: December 5, 2025
Affecting: 7.0.3.4968
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823
CVE: CVE-2020-36876
CVE type: CWE-532 Insertion of Sensitive Information into Log File
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-48950
ReQuest Software Link
Zero Science Lab Disclosure (ZSL-2020-5600)
Credit: Gjoko Krstic of Zero Science Lab
Description: ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page.