VYPR

Vendor CVEs

PHP-Fusion

All CVEs

91 total · sorted by risk
  • CVE-2021-3172Feb 17, 2023
    risk 0.00cvss epss 0.01

    An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.

  • CVE-2022-3152Sep 7, 2022
    risk 0.00cvss epss 0.01

    Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.

  • CVE-2014-8597Feb 17, 2022
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel.

  • CVE-2020-23754Nov 2, 2021
    risk 0.00cvss epss 0.02

    Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls feature.

  • CVE-2021-40188Oct 11, 2021
    risk 0.00cvss epss 0.01

    PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server.

  • CVE-2021-40189Oct 11, 2021
    risk 0.00cvss epss 0.02

    PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary code.

  • CVE-2021-40541Oct 11, 2021
    risk 0.00cvss epss 0.01

    PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text.

  • CVE-2020-23702Jul 7, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via 'New Shout' in /infusions/shoutbox_panel/shoutbox_admin.php.

  • CVE-2020-23185Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2020-23184Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field.

  • CVE-2020-23182Jul 2, 2021
    risk 0.00cvss epss 0.01

    The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel.

  • CVE-2020-23181Jul 2, 2021
    risk 0.00cvss epss 0.00

    A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field.

  • CVE-2020-23179Jul 2, 2021
    risk 0.00cvss epss 0.00

    A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer" field.

  • CVE-2020-23178Jul 2, 2021
    risk 0.00cvss epss 0.01

    An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user.

  • CVE-2021-28280Apr 29, 2021
    risk 0.00cvss epss 0.01

    CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML

  • CVE-2020-35952Jan 3, 2021
    risk 0.00cvss epss 0.01

    login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.

  • CVE-2020-23658Aug 26, 2020
    risk 0.00cvss epss 0.00

    PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.

  • CVE-2020-17450Aug 12, 2020
    risk 0.00cvss epss 0.01

    PHP-Fusion 9.03 allows XSS on the preview page.

  • CVE-2020-17449Aug 12, 2020
    risk 0.00cvss epss 0.01

    PHP-Fusion 9.03 allows XSS via the error_log file.

  • CVE-2020-15041Jun 24, 2020
    risk 0.00cvss epss 0.01

    PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.

  • CVE-2020-14960Jun 21, 2020
    risk 0.00cvss epss 0.02

    A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,

  • CVE-2020-12718May 7, 2020
    risk 0.00cvss epss 0.01

    In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.

  • CVE-2020-12708May 7, 2020
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.

  • CVE-2020-12461Apr 29, 2020
    risk 0.00cvss epss 0.02

    PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over…

  • CVE-2020-12438Apr 28, 2020
    risk 0.00cvss epss 0.01

    An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.

  • CVE-2008-6850Jul 7, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2007-3559Jul 4, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant.

  • CVE-2006-3555Jul 13, 2006
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and…

  • CVE-2006-0593Feb 8, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php.

  • CVE-2005-4655Dec 31, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in submit.php in PHP-Fusion 6.0.204 allows remote attackers to inject arbitrary web script or HTML via nested tags in the news_body parameter, as demonstrated by elements such as "<meta" and "<script>".

  • CVE-2005-3740Nov 22, 2005
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in PHP-Fusion 6.00.206 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the forum_id parameter to options.php or (2) lastvisited parameter to viewforum.php.

  • CVE-2005-3739Nov 22, 2005
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in subheader.php in PHP-Fusion 6.00.206 and earlier allows remote attackers to obtain the full path via unspecified vectors.

  • CVE-2005-3161Oct 6, 2005
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php.

  • CVE-2005-3158Oct 6, 2005
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in messages.php in PHP-Fusion 6.00.106 and 6.00.107 allows remote attackers to execute arbitrary SQL commands via the (1) pm_email_notify and (2) pm_save_sent parameters, a different vulnerability than CVE-2005-3157 and CVE-2005-3159.

  • CVE-2005-3160Oct 6, 2005
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in photogallery.php in PHP-Fusion allow remote attackers to execute arbitrary SQL commands via the (1) album and (2) photo parameters.

  • CVE-2005-2401Jul 27, 2005
    risk 0.00cvss epss 0.01

    PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag.

  • CVE-2005-2074Jun 29, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) article_description, or (3) article_body parameters to submit.php.

  • CVE-2005-0692Mar 6, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript.

  • CVE-2004-2437Dec 31, 2004
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php.

  • CVE-2004-2438Dec 31, 2004
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in PHP-Fusion 4.01 allows remote attackers to inject arbitrary web script or HTML via the (1) Submit News, (2) Submit Link or (3) Submit Article field.

  • CVE-2004-1723Dec 31, 2004
    risk 0.00cvss epss 0.01

    The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message.

Page 2 of 2