RSS   Vulnerabilities for 'Php-fusion'   RSS

2020-09-03
 
CVE-2020-24949

CWE-269
 

 
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).

 
2020-08-26
 
CVE-2020-23658

CWE-79
 

 
PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.

 
2020-08-12
 
CVE-2020-17450

CWE-79
 

 
PHP-Fusion 9.03 allows XSS on the preview page.

 
 
CVE-2020-17449

CWE-79
 

 
PHP-Fusion 9.03 allows XSS via the error_log file.

 
2020-06-24
 
CVE-2020-15041

CWE-79
 

 
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.

 
2020-06-22
 
CVE-2020-14960

CWE-89
 

 
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,

 
2020-05-08
 
CVE-2020-12718

CWE-79
 

 
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.

 
2020-05-07
 
CVE-2020-12708

CWE-79
 

 
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.

 
 
CVE-2020-12706

CWE-79
 

 
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php

 
2020-04-29
 
CVE-2020-12461

CWE-89
 

 
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.

 


Copyright 2020, cxsecurity.com

 

Back to Top