PHP-Fusion CMS
by PHP-Fusion
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-12099 | Hig | 0.62 | 8.8 | 0.18 | May 14, 2019 | In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload. | ||
| CVE-2020-12461 | Hig | 0.57 | 8.8 | 0.02 | Apr 29, 2020 | PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over… | ||
| CVE-2020-14960 | Hig | 0.47 | 7.2 | 0.02 | Jun 22, 2020 | A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter, | ||
| CVE-2014-8597 | Med | 0.40 | 6.1 | 0.01 | Feb 17, 2022 | A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel. | ||
| CVE-2020-17450 | Med | 0.40 | 6.1 | 0.01 | Aug 12, 2020 | PHP-Fusion 9.03 allows XSS on the preview page. | ||
| CVE-2020-12708 | Med | 0.40 | 6.1 | 0.01 | May 7, 2020 | Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043. | ||
| CVE-2020-12706 | Med | 0.38 | 5.4 | 0.03 | May 7, 2020 | Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php | ||
| CVE-2020-12718 | Med | 0.35 | 5.4 | 0.01 | May 8, 2020 | In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle. | ||
| CVE-2020-12438 | Med | 0.35 | 5.4 | 0.01 | Apr 28, 2020 | An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags. | ||
| CVE-2020-15041 | Med | 0.31 | 4.8 | 0.01 | Jun 24, 2020 | PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field. |
- risk 0.62cvss 8.8epss 0.18
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
- risk 0.57cvss 8.8epss 0.02
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over…
- risk 0.47cvss 7.2epss 0.02
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
- risk 0.40cvss 6.1epss 0.01
A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel.
- risk 0.40cvss 6.1epss 0.01
PHP-Fusion 9.03 allows XSS on the preview page.
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.
- risk 0.38cvss 5.4epss 0.03
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
- risk 0.35cvss 5.4epss 0.01
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
- risk 0.35cvss 5.4epss 0.01
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
- risk 0.31cvss 4.8epss 0.01
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.