CVE-2020-36896 HIGH

CVE-2020-36896: QiHang Media Web Digital Signage 3.0.9 Cleartext Credentials Disclosure

Vendor Shenzhen Xingmeng Qihang Media Co., Ltd.guangzhou Hefeng Automation Technology Co., Ltd.
Product QiHang Media Web Digital Signage
Weakness CWE-522 · Insufficiently protected credentials
Published December 10, 2025
Last update December 11, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the '/xml/User/User.xml' file, enabling direct authentication bypass.

Key dates

02Disclosure timeline

December 10, 2025 CVE published
December 11, 2025 Record updated