CVE-2017-20217

HIGH

Serviio PRO 1.8 REST API Information Disclosure

Title source: cna

Description

Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · pythonwebappsjava

https://www.exploit-db.com/exploits/41958

View Code ZIP pw:eip

References (8)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php

[Third Party Advisory] https://blogs.securiteam.com/index.php/archives/3094

[Exploit] https://www.exploit-db.com/exploits/41958/

[Third Party Advisory] https://cxsecurity.com/issue/WLB-2017050022

[Exploit] https://packetstormsecurity.com/files/142383

[Third Party Advisory] http://www.securitylab.ru/poc/486048.php

[Vdb Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/125646

[Third Party Advisory] https://www.vulncheck.com/advisories/serviio-pro-rest-api-information-disclosure

Scores

CVSS v3 7.5

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (4)

Serviio/Serviio PRO 1.6.1

Serviio/Serviio PRO 1.7.0

Serviio/Serviio PRO 1.7.1

Serviio/Serviio PRO 1.8.0.0 PRO

Published Mar 16, 2026

Tracked Since Mar 16, 2026