CVE-2020-36996

Vulnerability

Analysis PHPFusion 9.03.50 is vulnerable to a persistent cross-site scripting (XSS) attack in the print.php page. The root cause is that while the main forum message input is sanitized for HTML injection during normal display, the print functionality bypasses this sanitization. When a thread is rendered for printing via print.php, user-submitted message content is returned without proper encoding or filtering, leading to the execution of injected scripts in the viewer's browser [1][2].

Exploitation

An attacker with the ability to create or edit forum messages can inject malicious HTML/JavaScript, such as `. The payload is stored in the database and triggered when any user (including an administrator) accesses the print view of a thread containing the injected message. The vulnerable endpoint is print.php with parameters like type=F&item_id=1&rowstart=0` [1]. No authentication level beyond being able to post a forum message is required, making the attack surface accessible to registered users.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the PHPFusion site. This can lead to session hijacking, defacement, or theft of sensitive data displayed on the page. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3 base score of 6.4 (Medium), indicating a moderate impact on confidentiality and integrity with low privileges required [2].

Mitigation

The vendor has not released a patch for this version, and the project may be end-of-life. The recommended mitigation is to upgrade to a patched version of PHPFusion if available, or to restrict access to the print functionality and carefully review or disable the use of HTML in forum posts. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.