Arbitrary File Download Vulnerability in piSignage Player API

Arbitrary File Download Vulnerability in piSignage Player API

CVE-2019-20354 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download.

Learn more about our Web App Pen Testing.