ReQuest Serious Play F3 Media Server Debug Log Disclosure Vulnerability

A vulnerability in ReQuest Serious Play F3 Media Server has been identified, allowing unauthenticated attackers to access the webserver's Python debug log file. This log file contains sensitive system information, including credentials, file paths, processes, and command arguments related to the device's operation. The vulnerability affects versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823. Attackers can exploit this issue by visiting the message_log page on the server.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of sensitive information, including system details, user credentials, and command execution logs.

Reproduction

To reproduce this vulnerability, access the message_log page on a server running an affected version of ReQuest Serious Play F3 Media Server. The Python debug log will be disclosed, containing sensitive information such as system processes, paths, and credentials.