Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA
CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2020-37228

CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA

A critical CVSS 9.8 vulnerability in iDS6 DSSPro Digital Signage System 6.2 allows attackers to retrieve valid CAPTCHA codes from the login endpoint and...

Dylan H.

Security Team

May 16, 2026
3 min read

Affected Products

  • iDS6 DSSPro Digital Signage System 6.2

Overview

CVE-2020-37228 is a critical authentication bypass vulnerability (CVSS 9.8) affecting iDS6 DSSPro Digital Signage System version 6.2. The flaw resides in the CAPTCHA verification mechanism used to protect the login page — an attacker can programmatically retrieve a valid CAPTCHA response from the autoLoginVerifyCode object exposed by the login endpoint, rendering the CAPTCHA control completely ineffective.

With CAPTCHA defeated, attackers can mount automated brute-force campaigns against user credentials with no rate-limiting obstacle in place.

Technical Details

The vulnerability stems from the fact that the login endpoint returns — or exposes through an accessible API object — the expected CAPTCHA solution at request time. An attacker who first calls this endpoint can extract the autoLoginVerifyCode value and replay it in a valid login submission, bypassing the challenge-response mechanism entirely.

This design error means:

  • CAPTCHA is advisory only — it provides no real protection.
  • Brute-force is unconstrained — scripts can iterate credential lists at full speed.
  • No authentication required to exploit — the bypass is pre-auth and trivially automated.

Affected Products

ProductVersion
iDS6 DSSPro Digital Signage System6.2

Earlier or later versions have not been confirmed as affected at the time of disclosure.

Impact

Successful exploitation allows an unauthenticated attacker to bypass the CAPTCHA protection and perform automated credential brute-forcing against any user account on the system. If administrative credentials are compromised, attackers could gain full control over the digital signage infrastructure — modifying displayed content, exfiltrating stored media, or pivoting to the underlying host system.

Digital signage systems deployed in public-facing environments (retail, transportation, healthcare, government) are particularly high-value targets for manipulation and embarrassment attacks.

CVSS Score

MetricValue
Base Score9.8 (Critical)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

Remediation

  1. Update immediately — apply any patches issued by the vendor for DSSPro 6.2 that address the CAPTCHA implementation.
  2. Network isolation — place the management interface behind a VPN or firewall; restrict access to trusted IP ranges.
  3. Rate limiting — implement server-side rate limiting or account lockout policies independent of the CAPTCHA control.
  4. Monitor login logs — alert on abnormal volumes of authentication attempts.
  5. Credential hygiene — enforce strong, unique passwords on all accounts; enable MFA if supported.

References

  • NVD Entry: CVE-2020-37228

Related Reading

  • CVE-2020-37239: libbabl 0.1.62 Broken Double-Free Detection
  • CVE-2026-21997: Oracle Life Sciences Empirica Signal
  • CVE-2026-26477: DokuWiki media_upload_xhr() Denial of
#Vulnerability#CVE#Authentication-Bypass#Digital-Signage#NVD

Related Articles

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-49814: Dell PowerProtect Data Domain OS Command Injection

A high-severity OS command injection vulnerability in Dell PowerProtect Data Domain allows authenticated remote attackers to execute arbitrary commands...

3 min read
Back to all Security Alerts