RED-V Super Digital Signage System RXV-A740R Log Information Disclosure

Title: RED-V Super Digital Signage System RXV-A740R Log Information Disclosure
Advisory ID: ZSL-2020-5609
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 15.11.2020
Summary
RED-V Super Digital Signage transforms simple screens into customized TV channels, delivering audiovisual communication as immersive user experiences. It is the final blending of years of know-how in multimedia, mobile and web experience, tablet and multimedia server design.
Description
The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several endpoints and disclose the webserver's log file list containing sensitive system resources and debug log information running on the device.
Vendor
RED-V S.R.L. - https://www.red-v.tv
Affected Version
Model name: RXV-A740R
Android version: 5.1.1
Firmware version: 026
Player version: 7.8.6
Downloader version: 7.5.2
Launcher version: 6.8.8
Tested On
Apache Struts
Vendor Status
[26.10.2020] Vulnerability discovered.
[09.11.2020] Vendor contacted.
[09.11.2020] Vendor responds asking more details.
[09.11.2020] Sent details to the vendor. Asked for confirmation and scheduled patch release date.
[09.11.2020] Vendor confirms the issue working on fix.
[10.11.2020[ Vendor will release an update to block access to those files if not authenticated.
[15.11.2020] Public security advisory released.
PoC
red-v_supersignage.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/160073
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/191803
[3] https://cxsecurity.com/issue/WLB-2020110130
Changelog
[15.11.2020] - Initial release
[02.12.2020] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk