CVE-2020-36886 - Vulnerability Details

SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full system privileges when a logged-in user visits the page.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Spinetix	Fusion Digital Signage

No data.

References

Link	Providers
https://www.exploit-db.com/exploits/48846
https://www.spinetix.com
https://www.spinetix.com/product/
https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-cross-site-request-forgery-via-user-creation
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php

History

Thu, 11 Dec 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spinetix Spinetix fusion Digital Signage
Vendors & Products		Spinetix Spinetix fusion Digital Signage

Thu, 11 Dec 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Dec 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full system privileges when a logged-in user visits the page.
Title		SpinetiX Fusion Digital Signage 3.4.8 Cross-Site Request Forgery via User Creation
Weaknesses		CWE-352
References		https://www.exploit-db.com/exploits/48846 https://www.spinetix.com https://www.spinetix.com/product/ https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-cross-site-request-forgery-via-user-creation https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-12-10T20:48:38.588Z

Updated: 2025-12-11T18:53:45.677Z

Reserved: 2025-12-09T11:05:19.895Z

Link: CVE-2020-36886

Vulnrichment

Updated: 2025-12-11T16:03:52.544Z

NVD

Status : Awaiting Analysis

Published: 2025-12-10T21:16:00.953

Modified: 2025-12-12T15:18:42.140

Link: CVE-2020-36886

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object