CVE-2020-36884 MEDIUM

CVE-2020-36884: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF

Vendor Brightsign, Llc

Product BrightSign Digital Signage Diagnostic Web Server

Weakness CWE-918 · SSRF

Published December 10, 2025

Last update December 11, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts.

Key dates

02Disclosure timeline

December 10, 2025 CVE published

December 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-36884

Related vulnerabilities

Identifiers

CVE CVE-2020-36884

CWE CWE-918

CVSS 6.9 / MEDIUM

Affected versions