QwikSec

Security Database

CVE

CWE

Training

CVE-2020-36896

Published: Dec 10, 2025

Modified: Dec 11, 2025

PUBLISHED

Description

QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the '/xml/User/User.xml' file, enabling direct authentication bypass.

Vendor	Product	Versions
Shenzhen Xingmeng Qihang Media Co., Ltd.Guangzhou Hefeng Automation Technology Co., Ltd.	QiHang Media Web Digital Signage	affected `3.0.9`

Weaknesses (CWE)

References

ExploitDB-48748

exploit

Official Product Homepage

product

Vendor Security Advisory for ZSL-2020-5579

vendor-advisory

vdb-entry

VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cleartext Credentials Disclosure

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.