Session Fixation Vulnerability in All-Dynamics Software enlogic:show
CVE-2020-36913

8.5HIGH

Key Information:

Vendor

All-dynamics Software

Status
Enlogic:show Digital Signage System
Vendor
CVE Published:
6 January 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2020-36913?

The enlogic:show version 2.0.2 from All-Dynamics Software is susceptible to a session fixation vulnerability. This issue allows attackers to manipulate the PHP session identifier during the user login process. By sending specially crafted HTTP GET requests to welcome.php with a custom session token, attackers can bypass authentication checks, potentially leading to unauthorized access and execution of cross-site request forgery attacks. The vulnerability poses significant risks to user data and overall system integrity.

Affected Version(s)

enlogic:show Digital Signage System 2.0.2 (Build 2098) ILP32W 0/1/3/1597919619

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-36913 - Proof of Concept

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-55...
third-party-advisory
https://www.enlogic-show.com/index.dhtml/23695c31af422b93...
product
https://packetstormsecurity.com/files/158703
exploit

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab
JSON
.