QwikSec

Security Database

CVE

CWE

Training

CVE-2020-36884

Published: Dec 10, 2025

Modified: Dec 11, 2025

PUBLISHED

Description

BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts.

Vendor	Product	Versions
BrightSign, LLC	BrightSign Digital Signage Diagnostic Web Server	affected `0 - <= 8.2.26`

Weaknesses (CWE)

References

ExploitDB-48843

exploit

BrightSign Homepage

product

Zero Science Lab Disclosure

third-party-advisory

Zero Science GitHub Repository

issue-tracking

VulnCheck Advisory: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.