CVE-2020-36902

UBICOD Medivision Digital Signage version 1.5.1 is affected by CVE-2020-36902, an authorization bypass vulnerability stemming from CWE-862 (Missing Authorization). The flaw allows privilege escalation by manipulating the 'ft[grp]' parameter in a GET request to the /html/user endpoint. By setting 'ft[grp]' to the integer value '3', normal users or attackers can gain super admin rights. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending a simple GET request to /html/user?ft[grp]=3, they bypass authorization controls and elevate to super admin privileges, potentially enabling full control over the digital signage system, including configuration changes, content manipulation, or further compromise of connected infrastructure.

Advisories from sources like VulnCheck, Zero Science Lab (ZSL-2020-5575), and an Exploit-DB proof-of-concept (EDB-ID 48684) detail the issue and provide exploit code, but no specific patches or vendor mitigations are outlined in the available references. Security practitioners should isolate affected systems, apply any available updates from the vendor (medivision.co.kr), and implement web application firewalls to block parameter tampering on the /html/user endpoint.

A public exploit is available on Exploit-DB, highlighting active research interest despite the CVE's 2020 designation and a 2025 publication timestamp in vulnerability databases. No evidence of widespread real-world exploitation or AI/ML relevance is noted.