Vulnerability-Lookup

CVE-2017-17737 (GCVE-0-2017-17737)

Vulnerability from cvelistv5 – Published: 2017-12-18 06:00 – Updated: 2024-08-05 20:59

Summary

The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

CNVD-2018-01361

Vulnerability from cnvd - Published: 2018-01-19

Title

BrightSign Digital Signage（4k242）跨站脚本漏洞

Description

BrightSign Digital Signage（4k242）是美国BrightSign公司的一套数字标牌多媒体播放设备。使用6.2.63及之前版本固件的BrightSign Digital Signage（4k242）存在跨站脚本漏洞，该漏洞源于程序未能验证用户输入。远程攻击者可通过向/network_diagnostics.html or /storage_info.html网页发送‘REF’参数利用该漏洞执行代码，窃取令牌。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.brightsign.biz/

Reference

http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html https://www.exploit-db.com/exploits/43364/

Impacted products

Name
BrightSign BrightSign Digital Signage（4k242） <=6.2.63

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-17737"
    }
  },
  "description": "BrightSign Digital Signage\uff084k242\uff09\u662f\u7f8e\u56fdBrightSign\u516c\u53f8\u7684\u4e00\u5957\u6570\u5b57\u6807\u724c\u591a\u5a92\u4f53\u64ad\u653e\u8bbe\u5907\u3002\r\n\r\n\u4f7f\u75286.2.63\u53ca\u4e4b\u524d\u7248\u672c\u56fa\u4ef6\u7684BrightSign Digital Signage\uff084k242\uff09\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411/network_diagnostics.html or /storage_info.html\u7f51\u9875\u53d1\u9001\u2018REF\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\uff0c\u7a83\u53d6\u4ee4\u724c\u3002",
  "discovererName": "Information Paradox",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.brightsign.biz/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-01361",
  "openTime": "2018-01-19",
  "products": {
    "product": "BrightSign BrightSign Digital Signage\uff084k242\uff09 \u003c=6.2.63"
  },
  "referenceLink": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html\r\nhttps://www.exploit-db.com/exploits/43364/",
  "serverity": "\u4e2d",
  "submitTime": "2017-12-20",
  "title": "BrightSign Digital Signage\uff084k242\uff09\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

GHSA-CM2W-GHPW-WMPP

Vulnerability from github – Published: 2022-05-14 04:00 – Updated: 2025-04-20 03:50

Details

The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-17737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-18T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.",
  "id": "GHSA-cm2w-ghpw-wmpp",
  "modified": "2025-04-20T03:50:06Z",
  "published": "2022-05-14T04:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17737"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43364"
    },
    {
      "type": "WEB",
      "url": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2017-17737

Vulnerability from fkie_nvd - Published: 2017-12-18 06:29 - Updated: 2025-04-20 01:37

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.

References

URL	Tags
cve@mitre.org	http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html	Issue Tracking, Third Party Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/43364/	Exploit, Issue Tracking, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/43364/	Exploit, Issue Tracking, Third Party Advisory, VDB Entry

Impacted products

	Vendor	Product	Version
	brightsign	4k242_firmware	*
	brightsign	4k242	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:brightsign:4k242_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "82EA334D-2F6D-4ED6-9C25-707BFB52A55B",
              "versionEndIncluding": "6.2.63",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:brightsign:4k242:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8A7CE79-D3DA-4F59-92F6-2EBBF69EFB82",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html."
    },
    {
      "lang": "es",
      "value": "El dispositivo BrightSign Digital Signage (4k242)(firmware 6.2.63 y anterior) tiene una vulnerabilidad de Cross-Site Scripting (XSS) mediante el par\u00e1metro REF en /network_diagnostics.html o /storage_info.html."
    }
  ],
  "id": "CVE-2017-17737",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-12-18T06:29:00.287",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/43364/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://www.exploit-db.com/exploits/43364/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2017-17737

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.

Aliases

CVE-2017-17737

Aliases

CVE-2017-17737

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-17737",
    "description": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.",
    "id": "GSD-2017-17737",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2017-17737"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-17737"
      ],
      "details": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.",
      "id": "GSD-2017-17737",
      "modified": "2023-12-13T01:21:04.636454Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-17737",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html",
            "refsource": "MISC",
            "url": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html"
          },
          {
            "name": "43364",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/43364/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:brightsign:4k242_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.2.63",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:brightsign:4k242:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17737"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html"
            },
            {
              "name": "43364",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/43364/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2018-01-04T18:57Z",
      "publishedDate": "2017-12-18T06:29Z"
    }
  }
}

VAR-201712-0913

Vulnerability from variot - Updated: 2025-04-20 23:29

The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html. BrightSign Digital Signage (4k242) is a set of digital signage multimedia player equipment from BrightSign Company in the United States. A remote attacker could use this vulnerability to execute code by sending a 'REF' parameter to the /network_diagnostics.html or /storage_info.html webpage to execute code and steal tokens.

The pages:

/network_diagnostics.html /storage_info.html

Suffer from a Cross-Site Scripting vulnerability. The REF parameter for these pages do not sanitize user input, resulting in arbitrary execution, token theft and related attacks.

The RP parameter in STORAGE.HTML suffers from a directory traversal/information leakage weakness: /storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc

Through parameter manipulation, the file system can be traversed, unauthenticated, allowing for leakage of information and compromise of the device.

This page also allows for unauthenticated upload of files.

/tools.html

Page allows for unauthenticated rename/manipulation of files.

When combined, these vulnerabilities allow for compromise of both end users and the device itself.

Ex. A malicious attacker can upload a malicious page of their choosing and steal credentials, host malicious content or distribute content through the device, which accepts large format SD cards

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201712-0913",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "4k242",
        "scope": "lte",
        "trust": 3.4,
        "vendor": "brightsign",
        "version": "6.2.63"
      },
      {
        "model": "digital signage",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "brightsign",
        "version": "\u003c=6.2.63"
      },
      {
        "model": "4k242",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "brightsign",
        "version": "6.2.63"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:brightsign:4k242_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "singularitysec",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "145489"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2017-17737",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2017-17737",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2017-17737",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.4,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-17737",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2018-01361",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-108789",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "id": "CVE-2017-17737",
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.8,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2017-17737",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-17737",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2017-17737",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2017-17737",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "NVD",
            "id": "CVE-2017-17737",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "NVD",
            "id": "CVE-2017-17737",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-01361",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201712-661",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-108789",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html. BrightSign Digital Signage (4k242) is a set of digital signage multimedia player equipment from BrightSign Company in the United States. A remote attacker could use this vulnerability to execute code by sending a \u0027REF\u0027 parameter to the /network_diagnostics.html or /storage_info.html webpage to execute code and steal tokens. \n \nThe pages:\n \n/network_diagnostics.html\n/storage_info.html\n \nSuffer from a Cross-Site Scripting vulnerability. The REF parameter for\nthese pages do not sanitize user input, resulting in arbitrary execution,\ntoken theft and related attacks. \n \n \n \nThe RP parameter in STORAGE.HTML suffers from a directory\ntraversal/information leakage weakness:\n/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc\n \nThrough parameter manipulation, the file system can be traversed,\nunauthenticated, allowing for leakage of information and compromise of the\ndevice. \n \nThis page also allows for unauthenticated upload of files. \n \n/tools.html\n \nPage allows for unauthenticated rename/manipulation of files. \n \nWhen combined, these vulnerabilities allow for compromise of both end users\nand the device itself. \n \nEx. A malicious attacker can upload a malicious page of their choosing and\nsteal credentials, host malicious content or distribute content through the\ndevice, which accepts large format SD cards",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "db": "PACKETSTORM",
        "id": "145489"
      }
    ],
    "trust": 3.78
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-108789",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-17737",
        "trust": 4.8
      },
      {
        "db": "EXPLOIT-DB",
        "id": "43364",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661",
        "trust": 0.7
      },
      {
        "db": "EXPLOITDB",
        "id": "43364",
        "trust": 0.6
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "145489",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "PACKETSTORM",
        "id": "145489"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "id": "VAR-201712-0913",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      }
    ],
    "trust": 1.7
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "IoT"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      }
    ]
  },
  "last_update_date": "2025-04-20T23:29:30.339000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "4K Product Line",
        "trust": 2.4,
        "url": "https://www.brightsign.biz/digital-signage-products/legacy-products/4k-product-line"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      },
      {
        "problemtype": "CWE-22",
        "trust": 0.8
      },
      {
        "problemtype": "CWE-264",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 4.7,
        "url": "http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.exploit-db.com/exploits/43364/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-17739"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-17738"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-17737"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17739"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17738"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17737"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "PACKETSTORM",
        "id": "145489"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "db": "PACKETSTORM",
        "id": "145489"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-01-19T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "date": "2017-12-18T00:00:00",
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "date": "2017-12-19T14:26:57",
        "db": "PACKETSTORM",
        "id": "145489"
      },
      {
        "date": "2017-12-19T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "date": "2017-12-18T06:29:00.287000",
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-01-19T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-01361"
      },
      {
        "date": "2018-01-04T00:00:00",
        "db": "VULHUB",
        "id": "VHN-108789"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-011555"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-011554"
      },
      {
        "date": "2017-12-19T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      },
      {
        "date": "2025-04-20T01:37:25.860000",
        "db": "NVD",
        "id": "CVE-2017-17737"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "BrightSign Digital Signage Path traversal vulnerability in device firmware",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-011556"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201712-661"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-17737 (GCVE-0-2017-17737)

CNVD-2018-01361

GHSA-CM2W-GHPW-WMPP

FKIE_CVE-2017-17737

GSD-2017-17737

VAR-201712-0913

Tags

Sightings

Nomenclature