Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion

Advisories

severity: medium
date: January 5, 2026
Affecting: Sony BRAVIA Digital Signage <= 1.7.8
CVE: CVE-2020-36924
CWE: CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CVSS: 5.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-49186
Sony BRAVIA Digital Signage Product Homepage
BRAVIA Signage Software Resources
Sony Professional Display Software Product Page
Zero Science Lab Disclosure (ZSL-2020-5612)
Packet Storm Security Exploit Archive
IBM X-Force Exchange Vulnerability Entry
CXSecurity Vulnerability Listing
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. Attackers can exploit this vulnerability to hijack user sessions, execute cross-site scripting code, and modify display content by manipulating the input material type.