Plataforma
other
Componente
spinetix-fusion-digital-signage
Corrigido em
8.2.27
CVE-2020-36886 describes a Cross-Site Request Forgery (XSRF) vulnerability present in SpinetiX Fusion Digital Signage versions 0 through 8.2.26. This flaw allows an attacker to create new administrative user accounts without proper request validation, potentially granting them complete control over the system. The vulnerability was published on December 10, 2025, and a fix is available in version 8.2.27.
The impact of this XSRF vulnerability is significant. An attacker can craft a malicious web page that, when visited by a logged-in user with sufficient privileges, automatically submits a form to create a new administrative user account. This bypasses standard authentication and authorization controls, effectively granting the attacker full system privileges. Successful exploitation could lead to unauthorized access to sensitive data, modification of system configurations, and even complete compromise of the digital signage deployment. The attacker could then leverage this administrative access to deploy malicious content, disrupt operations, or exfiltrate confidential information.
As of December 10, 2025, no public proof-of-concept exploits for CVE-2020-36886 are known. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation. While no active campaigns have been confirmed, the XSRF nature of the vulnerability means it could be exploited opportunistically.
Organizations deploying SpinetiX Fusion Digital Signage in environments where users have administrative privileges and browse untrusted websites are at risk. Shared hosting environments where multiple users share the same instance of the digital signage software are particularly vulnerable, as an attacker could potentially compromise the entire deployment through a single user's account.
disclosure
Status do Exploit
EPSS
0.11% (percentil 29%)
CISA SSVC
The primary mitigation for CVE-2020-36886 is to upgrade SpinetiX Fusion Digital Signage to version 8.2.27 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing stricter input validation on administrative account creation forms to mitigate the risk of unauthorized account creation. Web Application Firewalls (WAFs) configured to detect and block XSRF attacks can also provide an additional layer of protection. Regularly review user accounts and permissions to identify and remove any suspicious or unauthorized accounts.
Atualize SpinetiX Fusion Digital Signage para uma versão posterior a 8.2.26. Isso corrigirá a vulnerabilidade CSRF que permite a criação de usuários administrativos não autorizados. Consulte o site do fornecedor para a versão mais recente e as instruções de atualização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-36886 is a Cross-Site Request Forgery (XSRF) vulnerability allowing attackers to create admin accounts in SpinetiX Fusion Digital Signage versions 0-8.2.26, potentially gaining full system control.
You are affected if you are using SpinetiX Fusion Digital Signage versions 0 through 8.2.26. Upgrade to 8.2.27 or later to resolve the vulnerability.
Upgrade SpinetiX Fusion Digital Signage to version 8.2.27 or later. Consider implementing stricter input validation and WAF rules as interim measures.
No active exploitation campaigns have been confirmed as of December 10, 2025, but the vulnerability remains a potential risk.
Refer to the SpinetiX security advisory for detailed information and updates regarding CVE-2020-36886.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.