{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2020-36883","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-12-09T11:05:19.895Z","datePublished":"2025-12-10T20:47:08.593Z","dateUpdated":"2025-12-11T18:54:05.115Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Fusion Digital Signage","vendor":"SpenetiX AG","versions":[{"lessThanOrEqual":"3.4.8","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"LiquidWorm as Gjoko Krstic of Zero Science Lab"}],"datePublic":"2020-09-30T00:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests.</p>"}],"value":"SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-12-10T20:47:08.593Z"},"references":[{"name":"ExploitDB-48844","tags":["exploit"],"url":"https://www.exploit-db.com/exploits/48844"},{"name":"Official Product Homepage","tags":["product"],"url":"https://www.spinetix.com"},{"name":"Zero Science Lab Disclosure ZSL-2020-5594","tags":["third-party-advisory"],"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php"},{"name":"Mbed TLS GitHub Repository","tags":["product"],"url":"https://github.com/Mbed-TLS/mbedtls"},{"name":"VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Authenticated Path Traversal via File Operations","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-authenticated-path-traversal-via-file-operations"}],"source":{"discovery":"UNKNOWN"},"title":"SpinetiX Fusion Digital Signage 3.4.8 Authenticated Path Traversal via File Operations","x_generator":{"engine":"vulncheck"}},"adp":[{"references":[{"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-11T16:04:26.297314Z","id":"CVE-2020-36883","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-11T18:54:05.115Z"}}]}}