PHP Fusion
Sign in to watchby PHP-Fusion
CVEs (41)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2005-2783 | 0.03 | — | 0.00 | Sep 2, 2005 | Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.00.107 and earlier allows remote attackers to inject arbitrary web script or HTML via nested, malformed URL BBCode tags. | ||
| CVE-2005-2075 | 0.03 | — | 0.03 | Jun 29, 2005 | PHP-Fusion 5.0 and 6.0 stores the database file with a predictable filename under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to the filename in the administration/db_backups directory in PHP-Fusion 6.0 or the fusion_admin/db_backups directory in 5.0. | ||
| CVE-2005-0829 | 0.03 | — | 0.00 | May 2, 2005 | Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters. | ||
| CVE-2005-0345 | 0.03 | — | 0.04 | May 2, 2005 | viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter. | ||
| CVE-2004-1724 | 0.03 | — | 0.04 | Aug 18, 2004 | The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password. | ||
| CVE-2020-37152 | 0.00 | — | 0.00 | Feb 5, 2026 | PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site. | ||
| CVE-2008-6850 | 0.00 | — | 0.00 | Jul 7, 2009 | Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2007-3559 | 0.00 | — | 0.00 | Jul 4, 2007 | Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant. | ||
| CVE-2006-3555 | 0.00 | — | 0.01 | Jul 13, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer. | ||
| CVE-2006-0593 | 0.00 | — | 0.01 | Feb 8, 2006 | Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php. | ||
| CVE-2005-4655 | 0.00 | — | 0.00 | Dec 31, 2005 | Cross-site scripting (XSS) vulnerability in submit.php in PHP-Fusion 6.0.204 allows remote attackers to inject arbitrary web script or HTML via nested tags in the news_body parameter, as demonstrated by elements such as "<me<meta>ta" and "<sc<script>ript>". | ||
| CVE-2005-3740 | 0.00 | — | 0.01 | Nov 22, 2005 | Multiple SQL injection vulnerabilities in PHP-Fusion 6.00.206 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the forum_id parameter to options.php or (2) lastvisited parameter to viewforum.php. | ||
| CVE-2005-3161 | 0.00 | — | 0.01 | Oct 6, 2005 | Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php. | ||
| CVE-2005-3158 | 0.00 | — | 0.01 | Oct 6, 2005 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.106 and 6.00.107 allows remote attackers to execute arbitrary SQL commands via the (1) pm_email_notify and (2) pm_save_sent parameters, a different vulnerability than CVE-2005-3157 and CVE-2005-3159. | ||
| CVE-2005-3160 | 0.00 | — | 0.00 | Oct 6, 2005 | Multiple SQL injection vulnerabilities in photogallery.php in PHP-Fusion allow remote attackers to execute arbitrary SQL commands via the (1) album and (2) photo parameters. | ||
| CVE-2005-2401 | 0.00 | — | 0.00 | Jul 27, 2005 | PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag. | ||
| CVE-2005-2074 | 0.00 | — | 0.00 | Jun 29, 2005 | Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) article_description, or (3) article_body parameters to submit.php. | ||
| CVE-2005-0692 | 0.00 | — | 0.00 | Mar 6, 2005 | Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript. | ||
| CVE-2004-2437 | 0.00 | — | 0.01 | Dec 31, 2004 | SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php. | ||
| CVE-2004-1723 | 0.00 | — | 0.00 | Dec 31, 2004 | The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message. |
Page 2 of 3