CVE-2017-20220

| EUVD-2017-18934 HIGH
2026-03-15 VulnCheck
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2017-18934
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 7.5

Tags

Authentication Bypass Serviio Pro

Description

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

Analysis

An improper access control vulnerability in Serviio PRO 1.8's Configuration REST API allows unauthenticated remote attackers to change the mediabrowser login password without any authentication. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability trivially exploitable. The vulnerability affects Serviio PRO versions 1.6.1 through 1.8.0.0 PRO and represents a complete authentication bypass allowing full account takeover.

Technical Context

Serviio PRO is a media server software that exposes a REST API for configuration management. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the password change endpoint in the Configuration REST API fails to verify if the request comes from an authenticated user. The CPE identifier cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:* indicates all versions are potentially affected, though EUVD specifically confirms versions 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO. The REST API endpoint accepts specially crafted HTTP requests to modify user credentials without requiring any form of authentication token or session validation.

Affected Products

Serviio PRO versions 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO are confirmed vulnerable according to EUVD. The CPE string cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:* suggests all versions may be affected. The vulnerability specifically impacts the Configuration REST API component of these versions. No information about Serviio Free edition vulnerability status is provided in the available data.

Remediation

No specific patch version or vendor advisory is mentioned in the provided references. Users should upgrade to a version newer than 1.8.0.0 PRO if available. As immediate mitigation, administrators should: 1) Restrict network access to the Serviio REST API using firewall rules, 2) Place the API behind authentication proxy or VPN, 3) Monitor for unauthorized password change attempts in logs. Contact Serviio support for official patch information as no vendor advisory link is present in the references. The Zero Science Labs advisory (ZSL-2017-5407) may contain additional remediation details.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +38
POC: +20

Share

CVE-2017-20220 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy