Update: We have released a production firmware patch for the vulnerabilities outlined below. Please visit the Downloads page to download the update.
Two vulnerabilities have been found relating to the Diagnostic Web Server (DWS) on the device. These vulnerabilities are catalogued as CVE-2017-17737, -17738, and -17739.
- Viewable File Path: A user who already has access to the DWS can, by adding certain characters to the /storage.html URL, view file directories that they should not be able to see. So far, it does not seem possible to view or edit the contents of files in this manner—only the directories are visible.
Note: We do not recommend using the DWS in security-sensitive production environments under any circumstance. Please see the BrightSign Player Security statement for more details.