CVE-2017-20220

HIGH

Serviio PRO 1.8 Unauthenticated Password Change via REST API

Title source: cna

Description

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · pythonwebappsjava

https://www.exploit-db.com/exploits/41960

View Code ZIP pw:eip

References (8)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php

[Third Party Advisory] https://blogs.securiteam.com/index.php/archives/3094

[Exploit] https://www.exploit-db.com/exploits/41960/

[Exploit] https://packetstormsecurity.com/files/142386

[Third Party Advisory] https://cxsecurity.com/issue/WLB-2017050025

[Third Party Advisory] http://www.securitylab.ru/poc/486047.php

[Vdb Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/125645

[Third Party Advisory] https://www.vulncheck.com/advisories/serviio-pro-unauthenticated-password-change-via-rest-api

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 46.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (4)

Serviio/Serviio PRO 1.6.1

Serviio/Serviio PRO 1.7.0

Serviio/Serviio PRO 1.7.1

Serviio/Serviio PRO 1.8.0.0 PRO

Published Mar 16, 2026

Tracked Since Mar 16, 2026