13 matches found
CVE-2020-35687
CVE-2020-35687 affects PHPFusion CMS 9.03.90. A CSRF vulnerability in the shoutbox management allows an attacker to delete all shoutbox messages on behalf of a logged-in victim. Public PoCs/exploits exist (e.g., PacketStorm, Exploit-DB) showing a GET request triggering deletion via shoutbox_archi...
CVE-2014-8597
CVE-2014-8597 describes a reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07. The issue allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel. Documents in the connected set corroborate the vulnerability as a reflected...
CVE-2021-28280
PHPFusion 9.03.110 is affected by a CSRF and XSS vulnerability in search.php that allows remote attackers to inject arbitrary web script or HTML. This has been reported across multiple sources (NVD, Red Hat, CNVD, OSV, CNVD, OpenVAS and others) with consistent description. The CVE is not accompan...
CVE-2023-2453
CVE-2023-2453 affects PHPFusion. The issue is insufficient sanitization of tainted file names directly concatenated with a path and passed to a require_once statement, allowing inclusion and execution of arbitrary .php files when the absolute path is known. The description notes there is no known...
CVE-2022-3152
CVE-2022-3152 affects phpfusion/phpfusion prior to 9.10.20. The issue is described as an unverified password change, enabling account takeover. Connected documents corroborate the vulnerability class as improper/authentication weakness and consistently point to versions before 9.10.20. The remedi...
CVE-2023-4480
CVE-2023-4480 describes an out-of-date dependency in the Fusion File Manager (admin panel) that allows a crafted request to read arbitrary system files and write files to arbitrary locations, constrained by mime-type and file extension validation. The vulnerability affects the Fusion File Manager...
CVE-2021-40189
CVE-2021-40189 affects PHPFusion 9.03.110. The vulnerability arises in the theme upload mechanism: the theme function can extract files to webroot/themes/{Theme Folder}, enabling an attacker to access and execute arbitrary code on the server. Connected sources (NVD/CNVD/CNNVD) describe remote cod...
CVE-2021-40188
CVE-2021-40188 (PHPFusion 9.03.110) is an arbitrary file upload vulnerability. The Admin File Manager fails to filter PHP extensions (e.g., .php, .php7, .phtml, .php5), allowing an attacker to upload a malicious file and execute code on the server. Affected software: PHPFusion 9.03.110. Root caus...
CVE-2021-40541
CVE-2021-40541 affects PHPFusion 9.03.110. The vulnerability is an XSS in the descript() function, triggered when an authenticated user appends "//" at the end of text, due to how the preg filter handles HTML tags. The available sources (NVD, CNVD, CVE List) describe the issue; no exploitation de...
CVE-2020-23754
PHP-Fusion 9.03.50 contains a Cross-Site Scripting vulnerability in infusions/member_poll_panel/poll_admin.php that allows an attacker to execute arbitrary code via the polls feature. Sources attribute the root cause to insufficient filtering/escaping of user-submitted input. This affects PHP-Fus...
CVE-2020-37152
PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the panel_content POST parameter. The issue arises from insufficient sanitization of user input before rendering in the browser, enabling an attacker to inject arbitrary JavaScript that executes in the context of the af...
CVE-2020-37137
CVE-2020-37137 affects PHP-Fusion 9.03.50. The remote code execution vulnerability resides in the add_panel_form() path where eval() processes unsanitized POST data (panel_content) sent to panels.php, enabling arbitrary code execution. Exploitation details and PoCs are referenced in the connected...
CVE-2023-53928
PHPFusion 9.10.30 is affected by a stored cross-site scripting vulnerability in the file manager, allowing attackers to upload SVGs with embedded JavaScript. When such SVGs are viewed, they can execute client-side code that may steal session information or perform other user-side actions. The vul...