CVE-2020-36878

HIGH

ReQuest Serious Play Media Player 3.0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36878. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in ReQuest Serious Play Media Player 3.0, allowing unauthenticated file disclosure via the 'file' parameter in tail.html and file.html scripts. The PoC includes example URLs to exploit the vulnerability.

Description

ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/48949

View Code ZIP pw:eip

This exploit demonstrates a directory traversal vulnerability in ReQuest Serious Play Media Player 3.0, allowing unauthenticated file disclosure via the 'file' parameter in tail.html and file.html scripts. The PoC includes example URLs to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ReQuest Serious Play Media Player 3.0.0 and earlier versions

No auth needed

Prerequisites: Network access to the vulnerable device

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory vendor-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48949

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/request-serious-play-f-media-player-directory-traversal-file-disclosure

Scores

CVSS v4 8.7

EPSS 0.0029

EPSS Percentile 20.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-73

Status published

Products (5)

ReQuest Serious Play LLC/ReQuest Serious Play Media Player 1.5.1.820

ReQuest Serious Play LLC/ReQuest Serious Play Media Player 1.5.2.821

ReQuest Serious Play LLC/ReQuest Serious Play Media Player 1.5.2.822

ReQuest Serious Play LLC/ReQuest Serious Play Media Player 2.1.0.831

ReQuest Serious Play LLC/ReQuest Serious Play Media Player 3.0.0

Published Dec 05, 2025

Tracked Since Feb 18, 2026