CVE-2020-3926: 
ServiSign vulnerability analysis and mitigation

An arbitrary-file-access vulnerability was discovered in ServiSign security plugin (CVE-2020-3926). The vulnerability was identified on February 3, 2020, affecting ServiSign for Windows versions 1.0.19.0617 and earlier. ServiSign is a system developed by Changingtec in Taiwan that provides cross-platform solutions for digital signature and verification (CHT Security).

The vulnerability exists in the DLL file of the ServiSign system, where insecure APIs were present in several versions. The vulnerability allows attackers to assign any path parameter to read the contents of files on the user's computer through the API function without any authentication (CHT Security).

When exploited, attackers can deploy attack code in phishing or advertisement websites. If a user browses these compromised websites in an environment with ServiSign installed, the attacker can read the contents of specific file paths and upload them without authentication (CHT Security).

Users should upgrade from ServiSign for Windows version 1.0.19.0617 or earlier to a newer version that addresses this vulnerability (CHT Security).

The vulnerability was discovered and reported by the CHT Security Financial Security Assessment Team, specifically credited to Weber Tsai and Keniver Wang (CHT Security).