VYPR
Vendor

PHP-Fusion

PHP-Fusion is a free and open-source web framework based on PHP and MySQL & MariaDB that has an integrated content management system (CMS) among many other features.

Products
19
CVEs
91
Across products
94
Status
Private

Products

19

Recent CVEs

91
View all 91 CVEs →
  • CVE-2015-8375MedSep 25, 2017
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.

  • CVE-2020-24949Sep 3, 2020
    risk 0.10cvss epss 0.67

    Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).

  • CVE-2019-12099May 14, 2019
    risk 0.07cvss epss 0.18

    In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

  • CVE-2013-1807Apr 30, 2014
    risk 0.04cvss epss 0.08

    PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/.

  • CVE-2013-1806Apr 30, 2014
    risk 0.04cvss epss 0.08

    Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files…

  • CVE-2010-4931Oct 9, 2011
    risk 0.04cvss epss 0.16

    Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party

  • CVE-2006-2330May 12, 2006
    risk 0.04cvss epss 0.08

    PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses…

  • CVE-2005-2075Jun 29, 2005
    risk 0.04cvss epss 0.07

    PHP-Fusion 5.0 and 6.0 stores the database file with a predictable filename under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to the filename in the administration/db_backups directory…

  • CVE-2004-1724Aug 18, 2004
    risk 0.04cvss epss 0.07

    The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain…

  • CVE-2020-35687Jan 13, 2021
    risk 0.03cvss epss 0.01

    PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.

  • CVE-2020-12706May 7, 2020
    risk 0.03cvss epss 0.03

    Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php

  • CVE-2014-8596Nov 17, 2014
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php.

  • CVE-2013-7375May 5, 2014
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803.

  • CVE-2013-1803May 5, 2014
    risk 0.03cvss epss 0.04

    Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2)…

  • CVE-2013-1804Apr 29, 2014
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web…

  • CVE-2012-6043Nov 26, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter.

  • CVE-2010-4791Apr 27, 2011
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter.

  • CVE-2011-0512Jan 20, 2011
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter.

  • CVE-2009-0832Mar 5, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.

  • CVE-2009-0831Mar 5, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter.