PT-2023-30233 · Phpfox · Phpfox

Name of the Vulnerable Software and Affected Versions: phpFox versions prior to 4.8.14 Description: An issue was discovered where the url request parameter passed to the "/core/redirect" route is not properly sanitized before being used in a call to the unserialize PHP function. This can be...

phpFox 4.8.13 PHP Object Injection Exploit

phpFox versions 4.8.13 and below have an issue where user input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize PHP function. This can be exploited by remote, unauthenticated attackers to inject...

phpFox Security Vulnerabilities

phpFox is a social networking platform from phpFox Inc. A security vulnerability exists in phpFox 4.8.13 and earlier versions, which stems from user input passed to the /core/redirect route via a url request parameter that is not properly cleaned up before calling the unserialize PHP function,...

phpFox 4.8.13 PHP Object Injection

-------------------------------------------------------------- phpFox = 4.8.13 redirect PHP Object Injection Vulnerability -------------------------------------------------------------- - Software Link: https://www.phpfox.com - Affected Versions: Version 4.8.13 and prior versions. - Vulnerability...

CVE-2014-8469

Cross-site scripting XSS vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header...

Cross site scripting

Cross-site scripting XSS vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header...

CVE-2014-8469

Cross-site scripting XSS vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header...

CVE-2014-8469

CVE-2014-8469 is a stored XSS in PHPFox (Moxi9) before 4 Beta, exploitable via the User-Agent header in AdminCP’s Guests/Boots. The issue arises from manipulating the user_agent field, enabling remote script/html injection. Public records show an exploit exists (PHPFox XSS AdminCP) and the vendor...

PHPFox Cross Site Scripting

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CNA primary MITRE Corporation cve-assign \NOSPAM\ mitre \NOSPAM\ org Software Vendors http://moxi9.com/phpfox Product: PhpFox Version: ALL Research Wesley Henrique Leite wesleyhenrique \NOSPAM gmail \NOSPAM// com + INFORMATION Vendor Notified :...

PHPFox - Persistent Cross-Site Scripting

PHPFox - Persistent Cross-Site Scripting Exploit Title: PHPFox XSS AdminCP Date: 2014-10-22 Exploit Author: Wesley Henrique Leite aka "spyk2r" Vendor Homepage: http://www.moxi9.com Version: All version CVE : CVE-2014-8469 Response Vendor: fixed 2014-10-23 to v4 Beta + DESCRIPTION The system store...

PHPFox - Persistent Cross-Site Scripting

Exploit Title: PHPFox XSS AdminCP Date: 2014-10-22 Exploit Author: Wesley Henrique Leite aka "spyk2r" Vendor Homepage: http://www.moxi9.com Version: All version CVE : CVE-2014-8469 Response Vendor: fixed 2014-10-23 to v4 Beta + DESCRIPTION The system stores all urls accessed in a database table,...

PHPFox 3.6.0 (build3) Multiple SQL Injection Vulnerabilities

No description provided by source. ------------------------------------------------------------ PHPFox v3.6.0 build3 Multiple SQL Injection vulnerabilities ------------------------------------------------------------ == Description == - Software link: http://www.phpfox.com - Affected versions:...

phpFox <= 3.0.1 (ajax.php) Remote Command Execution Exploit

No description provided by source. ?php / ----------------------------------------------------------- phpFox = 3.0.1 ajax.php Remote Command Execution Exploit ----------------------------------------------------------- author.............: Egidio Romano aka EgiX mail...............:...

Vulnerability in PHPFox v3.7.3, v3.7.4 and v3.7.5 all build [ CVE-2013-7195, CVE-2013-7196 ]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CNA primary MITRE Corporation [email protected] Software Vendors PHPFox http://www.phpfox.com Product http://demo.phpfox.com Version: v3.7.3, v3.7.4 and v3.7.5 Research Wesley Henrique Leite wesleyhenrique NOSPAM gmail NOSPAM// com + INFORMATION...

CVE-2013-7195

PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication...

CVE-2013-7196

static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified valitemid parameter for the publication...

Design/Logic Flaw

PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication...

Design/Logic Flaw

static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified valitemid parameter for the publication...

CVE-2013-7195

PHPFox 3.7.3 and 3.7.4 contain an authorization bypass that lets remote authenticated users bypass the privacy setting "Only Me" for publications by crafting requests (e.g., like or comment) that specify the publication ID. The flaw arises in how doLike/comment.add processes item_id and related f...

CVE-2013-7196

PHPFox 3.7.3–3.7.5 contains a flaw in static/ajax.php that allows remote authenticated users to bypass the "Only Me" privacy setting and post a comment on private publications by manipulating the val[item_id] parameter. The root cause is insufficient access control in AJAX comment/like handling, ...