Primary

Context

QiHang Media Web Digital Signage Cleartext Credential Disclosure Vulnerability

Vulnerability

A cleartext credentials vulnerability has been identified in QiHang Media Web Digital Signage version 3.0.9. This vulnerability allows unauthenticated attackers to access administrative login information through an unprotected XML file. By requesting the '/xml/User/User.xml' file, attackers can retrieve hardcoded admin credentials, enabling direct authentication bypass.

Impact

Exploitation of this vulnerability leads to unauthorized access through authentication bypass, allowing attackers to log in as an administrator.

Reproduction

To reproduce this vulnerability, send a request for the '/xml/User/User.xml' file. This can be done using a web browser or a command-line tool like curl. The response will contain an XML file with administrative credentials in cleartext.

Added: Dec 10, 2025, 9:37 PM

Updated: Dec 10, 2025, 9:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QiHang Media Web Digital Signage Cleartext Credential Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating