CVE-2020-36888

Dec. 10, 2025, 9:16 p.m.

6.9
Medium

Description

SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses.

Product(s) Impacted

Vendor Product Versions
Spinetix
  • Fusion Digital Signage
  • 3.4.8

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-203
Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a spinetix fusion_digital_signage 3.4.8 / / / / / / /

References

https://www.exploit-db.com/exploits/48847
https://www.spinetix.com
https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-username-enumeration-via-login-script
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5591.php

Tags

disclosure@vulncheck.com
CWE-203
2025-12-10
CVE-2020-36888

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Dec. 10, 2025, 9:16 p.m.
Last Modified: Dec. 10, 2025, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

disclosure@vulncheck.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.