CVE-2020-36883

HIGH

SpinetiX Fusion Digital Signage <3.4.8 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36883. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates an authenticated path traversal vulnerability in SpinetiX Fusion Digital Signage, allowing arbitrary file deletion and backup creation via crafted HTTP requests. It includes specific payloads for file backup, deletion, and null-terminated string bypass techniques.

Description

SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/48844

View Code ZIP pw:eip

The exploit demonstrates an authenticated path traversal vulnerability in SpinetiX Fusion Digital Signage, allowing arbitrary file deletion and backup creation via crafted HTTP requests. It includes specific payloads for file backup, deletion, and null-terminated string bypass techniques.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: SpinetiX Fusion Digital Signage <= 3.4.8

Auth required

Prerequisites: Authenticated session (valid cookie) · Network access to the target

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/48844

Product product

https://www.spinetix.com

Exploit, Third Party Advisory third-party-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php

Not Applicable product

https://github.com/Mbed-TLS/mbedtls

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-authenticated-path-traversal-via-file-operations

Scores

CVSS v3 8.1

EPSS 0.0076

EPSS Percentile 50.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

spinetix/fusion_digital_signage < 3.4.8

Published Dec 10, 2025

Tracked Since Feb 18, 2026