SpinetiX Fusion Digital Signage 3.4.8 Authenticated Path Traversal via File Operations

Advisories

SpinetiX Fusion Digital Signage 3.4.8 Authenticated Path Traversal via File Operations

severity: critical
date: 12/10/2025
Affecting: Fusion Digital Signage <= 3.4.8 (1.0.36274)
CVE: CVE-2020-36883
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS: 8.8
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
References: ExploitDB-48844
SpinetiX Homepage
Zero Science Lab Disclosure (ZSL-2020-5594)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo