Vulnerabilites related to php-fusion - php-fusion
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpfusion/PHPFusion/issues/2326 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpfusion/PHPFusion/issues/2326 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Manage Theme\" field."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) reflejada en el archivo /administration/theme.php de PHP-Fusion versi\u00f3n 9.03.60, permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Manage Theme\""
}
],
"id": "CVE-2020-23181",
"lastModified": "2024-11-21T05:13:37.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.203",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2326"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/PHPFusion/PHPFusion/issues/2314 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PHPFusion/PHPFusion/issues/2314 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user."
},
{
"lang": "es",
"value": "Se presenta un problema en PHP-Fusion versi\u00f3n 9.03.50, donde las cookies de sesi\u00f3n no son eliminadas una vez que el usuario cierra la sesi\u00f3n, permitiendo a un atacante llevar a cabo un ataque de repetici\u00f3n de sesi\u00f3n y hacerse pasar por el usuario v\u00edctima"
}
],
"id": "CVE-2020-23178",
"lastModified": "2024-11-21T05:13:37.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.113",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2314"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2314"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-21 17:30
Modified
2024-11-21 00:53
Severity ?
Summary
SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * | |
| php-fusion | the_kroax_module | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:the_kroax_module:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26A707DB-EC80-4CB7-AD3F-0D91A5B9D0A8",
"versionEndIncluding": "4.42",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en kroax.php en el m\u00f3dulo Kroax (the_kroax) v4.42 y anteriores de PHP-Fusion permite a atacantes remotos ejecutar comandos arbitrarios SQL a trav\u00e9s de par\u00e1metro category."
}
],
"id": "CVE-2008-5196",
"lastModified": "2024-11-21T00:53:31.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-21T17:30:00.547",
"references": [
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4639"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/29976"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43462"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/5942"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/29976"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43462"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/5942"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-04 16:30
Modified
2024-11-21 00:33
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 6.01.9 | |
| php-fusion | php-fusion | 6.01.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:6.01.9:*:*:*:*:*:*:*",
"matchCriteriaId": "0C10EFF2-B3D0-4256-A69A-0E6C08B5009C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:6.01.10:*:*:*:*:*:*:*",
"matchCriteriaId": "27DBFC7B-D08B-4FCC-94A1-4C2052AAC90C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en infusions/shoutbox_panel/shoutbox_panel.php en PHP-Fusion 6.01.10 y 6.01.9, cuando los mensajes de invitados est\u00e1n habilitados, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del URI, relacionado con la constante FUSION_QUERY."
}
],
"id": "CVE-2007-3559",
"lastModified": "2024-11-21T00:33:31.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-04T16:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/36342"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/25907"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/24733"
},
{
"source": "cve@mitre.org",
"url": "http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/36342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/25907"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24733"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35225"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-29 17:15
Modified
2024-11-21 04:59
Severity ?
Summary
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query."
},
{
"lang": "es",
"value": "PHP-Fusion versi\u00f3n 9.03.50, permite una inyecci\u00f3n SQL porque el archivo maincore.php posee un mecanismo de protecci\u00f3n insuficiente. Un atacante puede desarrollar una carga \u00fatil especialmente dise\u00f1ada que se puede insertar en el par\u00e1metro GET sort_order en la p\u00e1gina de b\u00fasqueda de miembros members.php. Este par\u00e1metro permite el control sobre cualquier cosa despu\u00e9s de la cl\u00e1usula ORDER BY en la consulta SQL."
}
],
"id": "CVE-2020-12461",
"lastModified": "2024-11-21T04:59:44.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-29T17:15:12.113",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2308"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2308"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-26 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2325 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2325 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php."
},
{
"lang": "es",
"value": "PHP-Fusion versi\u00f3n 9.03.60, est\u00e1 afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio del archivo infusions/member_poll_panel/poll_admin.php"
}
],
"id": "CVE-2020-23658",
"lastModified": "2024-11-21T05:13:59.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-26T18:15:10.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2325"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2325"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-04-27 00:55
Modified
2024-11-21 01:21
Severity ?
Summary
SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| marcusg | mg_user_fotoalbum_panel | 1.0.1 | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:marcusg:mg_user_fotoalbum_panel:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F49BA-49CC-40A2-BE2D-FD34BCAE1B57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php del m\u00f3dulo MG User-Fotoalbum (mg_user_fotoalbum_panel) v1.0.1 para PHP-Fusion, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"album_id\"."
}
],
"id": "CVE-2010-4791",
"lastModified": "2024-11-21T01:21:47.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-04-27T00:55:02.960",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41752"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/8219"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15227"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/43901"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62382"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41752"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8219"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/43901"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62382"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-07 20:15
Modified
2024-11-21 05:00
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2310 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2310 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting en PHP-Fusion versi\u00f3n 9.03.50, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro cat_id en el archivo downloads/downloads.php o article.php. NOTA: esto podr\u00eda solaparse al CVE-2012-6043."
}
],
"id": "CVE-2020-12708",
"lastModified": "2024-11-21T05:00:07.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-07T20:15:12.547",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2310"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpfusion/PHPFusion/issues/2331 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpfusion/PHPFusion/issues/2331 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en el archivo /administration/setting_security.php de PHP-Fusion versi\u00f3n 9.03.60, permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada"
}
],
"id": "CVE-2020-23185",
"lastModified": "2024-11-21T05:13:37.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2331"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2331"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-11-17 16:59
Modified
2024-11-21 02:19
Severity ?
Summary
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 7.02.07 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.07:*:*:*:*:*:*:*",
"matchCriteriaId": "58B2B87E-887D-43CC-AF67-C1AE4E43D463",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en PHP-Fusion 7.02.07 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios en el par\u00e1metro submit_id en /administration/submissions.php (2) y el par\u00e1metro status en files/administration/members.php"
}
],
"id": "CVE-2014-8596",
"lastModified": "2024-11-21T02:19:24.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-17T16:59:06.370",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/show/osvdb/112419"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2015/Oct/23"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/35206"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/71053"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98583"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.xlabs.com.br/blog/?p=282"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/show/osvdb/112419"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2015/Oct/23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/35206"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/71053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98583"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.xlabs.com.br/blog/?p=282"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-22 00:15
Modified
2024-11-21 05:04
Severity ?
Summary
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2327 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/48487 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2327 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/48487 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,"
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en PHP-Fusion versi\u00f3n 9.03.50, afecta el endpoint administration/comments.php por medio del par\u00e1metro ctype"
}
],
"id": "CVE-2020-14960",
"lastModified": "2024-11-21T05:04:31.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-22T00:15:10.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2327"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48487"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2327"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48487"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-05 20:30
Modified
2024-11-21 01:01
Severity ?
Summary
SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ausimods | e-cart | 1.3 | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ausimods:e-cart:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7D81481-68A3-4D66-8958-6EAA82B80E54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en items.php en el m\u00f3dulo E-Cart v1.3 para PHP-Fusion permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"CA\"."
}
],
"id": "CVE-2009-0832",
"lastModified": "2024-11-21T01:01:00.587",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-03-05T20:30:00.703",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/499835/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33155"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7698"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/499835/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7698"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpfusion/PHPFusion/issues/2329 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpfusion/PHPFusion/issues/2329 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel."
},
{
"lang": "es",
"value": "El archivo /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php de PHP-Fusion versi\u00f3n 9.03.60, permite a atacantes redirigir a los usuarios v\u00edctimas a sitios web maliciosos por medio de una carga \u00fatil dise\u00f1ada introducida en el panel de mensajes de Shoutbox"
}
],
"id": "CVE-2020-23182",
"lastModified": "2024-11-21T05:13:37.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2329"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-03 04:15
Modified
2024-11-21 05:28
Severity ?
Summary
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/PHPFusion/PHPFusion/issues/2346 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PHPFusion/PHPFusion/issues/2346 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8719BB81-400A-4805-A85E-16BB9712AFA7",
"versionEndExcluding": "9.03.90",
"versionStartIncluding": "9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single \"Incorrect username or password\" message in both cases), which might allow enumeration."
},
{
"lang": "es",
"value": "El archivo login.php en PHPFusion (tambi\u00e9n se conoce como PHP-Fusion) Andromeda versi\u00f3n 9.x antes del 30-12-2020 genera mensajes de error que distinguen entre un nombre de usuario incorrecto y una contrase\u00f1a incorrecta (es decir, ni un solo mensaje de \"Incorrect username or password\" en ambos casos), lo que podr\u00eda permitir la enumeraci\u00f3n."
}
],
"id": "CVE-2020-35952",
"lastModified": "2024-11-21T05:28:35.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-03T04:15:12.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2346"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2346"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-12-26 17:30
Modified
2024-11-21 00:54
Severity ?
Summary
SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | team_impact_ti_blog_system_module | - | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:team_impact_ti_blog_system_module:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7E7FB4E0-B477-4AC0-A070-F89DB7A87B87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en blog.php en Team Impact TI Blog System mod para PHP-Fusion permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n mediante el par\u00e1metro id."
}
],
"id": "CVE-2008-5733",
"lastModified": "2024-11-21T00:54:46.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-12-26T17:30:00.750",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/51017"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4814"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/499583/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33019"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7598"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/51017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/499583/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7598"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-25 21:29
Modified
2024-11-21 02:38
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://cve.killedkenny.io/cve/CVE-2015-8375 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2015/11/29/4 | Exploit, Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | https://gist.github.com/bscarvell/57f82000bf823071404e | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://cve.killedkenny.io/cve/CVE-2015-8375 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2015/11/29/4 | Exploit, Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/bscarvell/57f82000bf823071404e | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.00 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.00:*:*:*:*:*:*:*",
"matchCriteriaId": "EF4AE030-17F1-473C-84D4-061201A72F9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in PHP-Fusion 9."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en PHP-Fusion 9."
}
],
"id": "CVE-2015-8375",
"lastModified": "2024-11-21T02:38:24.073",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-25T21:29:00.947",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://cve.killedkenny.io/cve/CVE-2015-8375"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/29/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/bscarvell/57f82000bf823071404e"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://cve.killedkenny.io/cve/CVE-2015-8375"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/29/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/bscarvell/57f82000bf823071404e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-07 19:15
Modified
2024-11-21 05:14
Severity ?
Summary
Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via 'New Shout' in /infusions/shoutbox_panel/shoutbox_admin.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpfusion/PHPFusion/issues/2328 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpfusion/PHPFusion/issues/2328 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via \u0027New Shout\u0027 in /infusions/shoutbox_panel/shoutbox_admin.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en PHP-Fusion versi\u00f3n 9.03.60, por medio de \"New Shout\" en el archivo /infusions/shoutbox_panel/shoutbox_admin.php"
}
],
"id": "CVE-2020-23702",
"lastModified": "2024-11-21T05:14:00.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-07T19:15:10.220",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2328"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-14 18:07
Modified
2024-11-21 00:53
Severity ?
Summary
SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the linkid parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | freshlinks_module | 1.0 | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:freshlinks_module:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FE4C5FA9-7884-49CC-A349-E9649B477DA9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the linkid parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en index.php en el m\u00f3dulo Freshlinks v1.0 RC1 para PHP-Fusion permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"linkid\"."
}
],
"id": "CVE-2008-5074",
"lastModified": "2024-11-21T00:53:13.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-14T18:07:59.997",
"references": [
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4594"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/31469"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45504"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/6620"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4594"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/31469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45504"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/6620"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-05 17:06
Modified
2024-11-21 02:00
Severity ?
Summary
SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 7.02.01 | |
| php-fusion | php-fusion | 7.02.02 | |
| php-fusion | php-fusion | 7.02.03 | |
| php-fusion | php-fusion | 7.02.04 | |
| php-fusion | php-fusion | 7.02.05 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*",
"matchCriteriaId": "0DA2B830-5DC6-42E8-882F-58AEAA9A5C5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*",
"matchCriteriaId": "9CC2526A-05C0-44B0-BB28-8B0A3A71157C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*",
"matchCriteriaId": "5F807AC1-7103-481C-B2CE-85C6B82C0941",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.04:*:*:*:*:*:*:*",
"matchCriteriaId": "92911880-2EDA-4A67-B8AE-FF2CB7DCA9BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.05:*:*:*:*:*:*:*",
"matchCriteriaId": "6E351BCF-CA3B-49F2-85E6-68573B0411D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en includes/classes/Authenticate.class.php en PHP-Fusion 7.02.01 hasta 7.02.05 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del ID de usuario en una cookie de usuario, una vulnerabilidad diferente a CVE-2013-1803."
}
],
"id": "CVE-2013-7375",
"lastModified": "2024-11-21T02:00:52.340",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-05T17:06:05.403",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/show/osvdb/90359"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/bugtraq/2013/Feb/80"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/58011"
},
{
"source": "cve@mitre.org",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"source": "cve@mitre.org",
"url": "https://vndh.net/note:php-fusion-70205-sql-injection"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/show/osvdb/90359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/bugtraq/2013/Feb/80"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://vndh.net/note:php-fusion-70205-sql-injection"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-04-23 13:05
Modified
2024-11-21 00:45
Severity ?
Summary
SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 6.00.307 | |
| php-fusion | php-fusion | 6.01.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:6.00.307:*:*:*:*:*:*:*",
"matchCriteriaId": "3F79C639-9C29-4803-9E43-60207AE59794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:6.01.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F7967D43-5236-45DA-AC6A-CAE60C3807EC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el archivo submit.php en PHP-Fusion versiones 6.01.14 y 6.00.307, cuando magic_quotes_gpc est\u00e1 deshabilitado y se conoce el prefijo de la tabla de base de datos, permite a los usuarios autenticados remotos ejecutar comandos SQL arbitrarios por medio del par\u00e1metro submit_info[] en una acci\u00f3n link submission. NOTA: m\u00e1s tarde se report\u00f3 que versi\u00f3n 7.00.2 tambi\u00e9n est\u00e1 afectada."
}
],
"id": "CVE-2008-1918",
"lastModified": "2024-11-21T00:45:39.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-04-23T13:05:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/51052"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29930"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33295"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/28855"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1318/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41914"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47610"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/5470"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7576"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/51052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29930"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33295"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/28855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1318/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41914"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47610"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/5470"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7576"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-14 21:29
Modified
2024-11-21 04:22
Severity ?
Summary
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6 | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/46839 | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/46839 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DF157F9-D6CA-47E8-BBAC-F53E7DD3820E",
"versionEndExcluding": "9.03.00",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload."
},
{
"lang": "es",
"value": "En PHP-Fusion versi\u00f3n 9.03.00, el archivo edit_profile.php permite a los usuarios autenticados remotamente ejecutar c\u00f3digo arbitrario porque includes/dynamics/includes/form_fileinput.php y includes/classes/PHPFusion/Installer/Lib/Core.settings.inc maneja inapropiadamente archivos ejecutables durante la carga de avatar."
}
],
"id": "CVE-2019-12099",
"lastModified": "2024-11-21T04:22:11.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-14T21:29:01.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46839"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46839"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-30 23:58
Modified
2024-11-21 01:50
Severity ?
Summary
PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * | |
| php-fusion | php-fusion | 7.02.01 | |
| php-fusion | php-fusion | 7.02.02 | |
| php-fusion | php-fusion | 7.02.03 | |
| php-fusion | php-fusion | 7.02.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B9F0261-3C99-444D-9F7B-766101BC9F61",
"versionEndIncluding": "7.02.05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*",
"matchCriteriaId": "0DA2B830-5DC6-42E8-882F-58AEAA9A5C5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*",
"matchCriteriaId": "9CC2526A-05C0-44B0-BB28-8B0A3A71157C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*",
"matchCriteriaId": "5F807AC1-7103-481C-B2CE-85C6B82C0941",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.04:*:*:*:*:*:*:*",
"matchCriteriaId": "92911880-2EDA-4A67-B8AE-FF2CB7DCA9BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/."
},
{
"lang": "es",
"value": "PHP-Fusion anterior a 7.02.06 almacena archivos de copia de seguridad con nombres de archivo previsibles en un directorio no restringido bajo el root de documento web, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una solicitud directa al archivo de copia de seguridad en administration/db_backups/."
}
],
"id": "CVE-2013-1807",
"lastModified": "2024-11-21T01:50:25.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-30T23:58:26.593",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90691"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90691"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.waraxe.us/advisory-97.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-05 17:06
Modified
2024-11-21 01:50
Severity ?
Summary
Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with "delete_attach_" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * | |
| php-fusion | php-fusion | 7.02.01 | |
| php-fusion | php-fusion | 7.02.02 | |
| php-fusion | php-fusion | 7.02.03 | |
| php-fusion | php-fusion | 7.02.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B9F0261-3C99-444D-9F7B-766101BC9F61",
"versionEndIncluding": "7.02.05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*",
"matchCriteriaId": "0DA2B830-5DC6-42E8-882F-58AEAA9A5C5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*",
"matchCriteriaId": "9CC2526A-05C0-44B0-BB28-8B0A3A71157C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*",
"matchCriteriaId": "5F807AC1-7103-481C-B2CE-85C6B82C0941",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.04:*:*:*:*:*:*:*",
"matchCriteriaId": "92911880-2EDA-4A67-B8AE-FF2CB7DCA9BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with \"delete_attach_\" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en PHP-Fusion anterior a versi\u00f3n 7.02.06, permiten a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del (1) par\u00e1metro orderby en el archivo downloads.php; o usuarios autenticados remotamente con ciertos permisos para ejecutar comandos SQL arbitrarios por medio de un (2) par\u00e1metro name que comienza con \"delete_attach_\" en una acci\u00f3n edit en el archivo forum/postedit.php; el (3) par\u00e1metro poll_opts[] en una acci\u00f3n newthread en el archivo forum/postnewthread.php; el par\u00e1metro (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, o (8) pm_savebox en el archivo administration/settings_messages.php; el par\u00e1metro (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, o (12) photo_watermark_text_color3 en el archivo administration/settings_photo.php; el (13) par\u00e1metro enable en el archivo administration/bbcodes.php; el par\u00e1metro (14) news_image, (15) news_image_t1, o (16) news_image_t2 en el archivo administration/news.php; el (17) par\u00e1metro news_id en una acci\u00f3n edit en el archivo administration/news.php; o el (18) par\u00e1metro article_id en una acci\u00f3n edit en el archivo administration/articles.php. NOTA: el problema de la cookie del ID de usuario en el archivo Authenticate.class.php ya est\u00e1 cubierto por el CVE-2013-7375."
}
],
"id": "CVE-2013-1803",
"lastModified": "2024-11-21T01:50:25.277",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-05T17:06:04.077",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90693"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90695"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90709"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90710"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90711"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90712"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90713"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/show/osvdb/90714"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52403"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "secalert@redhat.com",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90695"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90709"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90712"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90713"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/show/osvdb/90714"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.waraxe.us/advisory-97.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 22:15
Modified
2024-11-21 05:08
Severity ?
Summary
PHP-Fusion 9.03 allows XSS via the error_log file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "730406EC-DE8E-47AF-B51A-501CE5A406CA",
"versionEndIncluding": "9.03",
"versionStartIncluding": "9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03 allows XSS via the error_log file."
},
{
"lang": "es",
"value": "PHP-Fusion versi\u00f3n 9.03, permite un ataque de tipo XSS por medio del archivo error_log"
}
],
"id": "CVE-2020-17449",
"lastModified": "2024-11-21T05:08:08.297",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T22:15:12.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-21 17:30
Modified
2024-11-21 00:53
Severity ?
Summary
SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://securityreason.com/securityalert/4640 | Exploit, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/29995 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/43561 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.exploit-db.com/exploits/5961 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://securityreason.com/securityalert/4640 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/29995 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/43561 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/5961 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BECDF2C9-B776-4BD6-A953-BFF0CBD8A344",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en classifieds.php en PHP-Fusion permite a atacantes remotos ejecutar comandos arbitrarios SQL a trav\u00e9s de par\u00e1metro lid en una acci\u00f3n detail_adverts."
}
],
"id": "CVE-2008-5197",
"lastModified": "2024-11-21T00:53:32.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-21T17:30:00.563",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://securityreason.com/securityalert/4640"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/29995"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43561"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/5961"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://securityreason.com/securityalert/4640"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/29995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/5961"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer" field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/PHPFusion/PHPFusion/issues/2320 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PHPFusion/PHPFusion/issues/2320 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Site footer\" field."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en el archivo administration/settings_main.php de PHP-Fusion versi\u00f3n 9.03.50, permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Site footer\""
}
],
"id": "CVE-2020-23179",
"lastModified": "2024-11-21T05:13:37.393",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.157",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2320"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 22:15
Modified
2024-11-21 05:08
Severity ?
Summary
PHP-Fusion 9.03 allows XSS on the preview page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "730406EC-DE8E-47AF-B51A-501CE5A406CA",
"versionEndIncluding": "9.03",
"versionStartIncluding": "9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03 allows XSS on the preview page."
},
{
"lang": "es",
"value": "PHP-Fusion versi\u00f3n 9.03, permite un ataque de tipo XSS en la p\u00e1gina de vista previa"
}
],
"id": "CVE-2020-17450",
"lastModified": "2024-11-21T05:08:08.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T22:15:12.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-02 18:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpfusion/PHPFusion/issues/2323 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpfusion/PHPFusion/issues/2323 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Registration\" field."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en el archivo /administration/settings_registration.php de PHP-Fusion versi\u00f3n 9.03.60, permite a atacantes autenticados ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada introducida en el campo \"Registration\""
}
],
"id": "CVE-2020-23184",
"lastModified": "2024-11-21T05:13:37.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-02T18:15:08.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2323"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-24 21:15
Modified
2024-11-21 05:04
Severity ?
Summary
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2330 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2330 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.60 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.60:*:*:*:*:*:*:*",
"matchCriteriaId": "A4375E88-4C03-4C87-9835-3AEC42937686",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field."
},
{
"lang": "es",
"value": "PHP-Fusion versi\u00f3n 9.03.60, permite un ataque de tipo XSS por medio del campo Link del archivo administration/site_links.php"
}
],
"id": "CVE-2020-15041",
"lastModified": "2024-11-21T05:04:41.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-24T21:15:10.493",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2330"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-01-22 11:30
Modified
2024-11-21 00:55
Severity ?
Summary
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 4.01 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:4.01:*:*:*:*:*:*:*",
"matchCriteriaId": "7638D9CC-209F-4510-9874-6673902B657A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en readmore.php en PHP-Fusion 4.01 permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n mediante el par\u00e1metro news_id."
}
],
"id": "CVE-2008-5946",
"lastModified": "2024-11-21T00:55:16.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-01-22T11:30:05.467",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/30680"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/30680/exploit"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44456"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/30680"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/30680/exploit"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44456"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-03 14:15
Modified
2024-11-21 05:16
Severity ?
Summary
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2312 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2312 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE)."
},
{
"lang": "es",
"value": "Una escalada de privilegios en PHP-Fusion versi\u00f3n 9.03.50, el archivo downloads/downloads.php permite a un usuario autenticado (no administrador) enviar una petici\u00f3n dise\u00f1ada hacia un servidor y llevar a cabo una ejecuci\u00f3n de comandos remota (RCE)"
}
],
"id": "CVE-2020-24949",
"lastModified": "2024-11-21T05:16:14.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-03T14:15:10.713",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2312"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-01-20 19:00
Modified
2024-11-21 01:24
Severity ?
Summary
SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jikaka | teams_structure_module | 3.0 | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jikaka:teams_structure_module:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42894135-FDE2-42B5-90FE-8E3F810C5A15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en team.php en el m\u00f3dulo Teams Structure v3.0 para PHP-Fusion, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro team_id"
}
],
"id": "CVE-2011-0512",
"lastModified": "2024-11-21T01:24:11.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-01-20T19:00:11.490",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/70451"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42943"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/16004"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/45826"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/70451"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42943"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/16004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/45826"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64727"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-28 21:15
Modified
2024-11-21 04:59
Severity ?
Summary
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2307 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2307 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo XSS en la p\u00e1gina banners.php de PHP-Fusion versi\u00f3n 9.03.50. Esto puede ser explotado porque la \u00fanica medida de seguridad usada contra un ataque de tipo XSS es el desmontaje de las etiquetas SCRIPT. Un actor malicioso puede usar controladores de eventos HTML para ejecutar JavaScript en lugar de usar etiquetas SCRIPT."
}
],
"id": "CVE-2020-12438",
"lastModified": "2024-11-21T04:59:43.163",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-28T21:15:11.900",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2307"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2307"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-30 23:58
Modified
2024-11-21 01:50
Severity ?
Summary
Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * | |
| php-fusion | php-fusion | 7.02.01 | |
| php-fusion | php-fusion | 7.02.02 | |
| php-fusion | php-fusion | 7.02.03 | |
| php-fusion | php-fusion | 7.02.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B9F0261-3C99-444D-9F7B-766101BC9F61",
"versionEndIncluding": "7.02.05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*",
"matchCriteriaId": "0DA2B830-5DC6-42E8-882F-58AEAA9A5C5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*",
"matchCriteriaId": "9CC2526A-05C0-44B0-BB28-8B0A3A71157C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*",
"matchCriteriaId": "5F807AC1-7103-481C-B2CE-85C6B82C0941",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.04:*:*:*:*:*:*:*",
"matchCriteriaId": "92911880-2EDA-4A67-B8AE-FF2CB7DCA9BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de salto de directorio en PHP-Fusion anterior a 7.02.06 permiten a usuarios remotos autenticados incluir y ejecutar archivos arbitrarios a trav\u00e9s de un .. (punto punto) en (1) el par\u00e1metro user_theme hacia maincore.php; o administradores remotos autenticados eliminar archivos arbitrarios a trav\u00e9s de (2) el par\u00e1metro enable hacia administration/user_fields.php o (3) el par\u00e1metro file hacia administration/db_backup.php."
}
],
"id": "CVE-2013-1806",
"lastModified": "2024-11-21T01:50:25.547",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-30T23:58:26.547",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90692"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90694"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/90696"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90692"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90694"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.waraxe.us/advisory-97.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-07 20:15
Modified
2024-11-21 05:00
Severity ?
Summary
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2306 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/48404 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2306 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/48404 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php"
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo Cross-site scripting en PHP-Fusion versi\u00f3n 9.03.50, permiten a atacantes remotos inyectar script web o HTML arbitrario mediante el par\u00e1metro go en el archivo faq/faq_admin.php o shoutbox_panel/shoutbox_admin.php"
}
],
"id": "CVE-2020-12706",
"lastModified": "2024-11-21T05:00:07.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-07T20:15:12.470",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2306"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48404"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-12-05 01:30
Modified
2024-11-21 00:53
Severity ?
Summary
SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 6.01.15 | |
| php-fusion | php-fusion | 7.00.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:6.01.15:*:*:*:*:*:*:*",
"matchCriteriaId": "11019A94-11B0-438E-AB2C-A216C0079788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.00.1:*:*:*:*:*:*:*",
"matchCriteriaId": "29C3B75C-A4A7-4144-AA56-ACA16382535D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en messages.php en PHP-Fusion v6.01.15 y v7.00.1, cuando magic_quotes_gpc se deshabilita, permitir\u00eda a atacantes remotos ejecutar comando SQL a su elecci\u00f3n a traves de los parametros \"subject\" y \"msg_send\", es un vector diferente que CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, y CVE-2006-2459."
}
],
"id": "CVE-2008-5335",
"lastModified": "2024-11-21T00:53:51.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-12-05T01:30:00.407",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/50065"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32781"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4688"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/downloads.php?cat_id=19"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=435"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=436"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32388"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/3248"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46760"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7173"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/50065"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4688"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/downloads.php?cat_id=19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=435"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=436"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32388"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/3248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46760"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7173"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-06-11 14:30
Modified
2024-11-21 01:10
Severity ?
Summary
SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| basti2web | book_panel | * | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:basti2web:book_panel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2996AC96-B1C3-4F30-B628-3079B8831DE2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en books.php en el m\u00f3dulo Book Panel (book_panel) de PHP-Fusion permite a los atacantes remotos ejecutar a su elecci\u00f3n comandos SQL a trav\u00e9s del par\u00e1metro bookid."
}
],
"id": "CVE-2009-4889",
"lastModified": "2024-11-21T01:10:42.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-06-11T14:30:16.457",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/8186"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/34049"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49160"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/8186"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/34049"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49160"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-17 18:15
Modified
2024-11-21 06:21
Severity ?
Summary
An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e | Patch | |
| cve@mitre.org | https://github.com/PHPFusion/PHPFusion/issues/2351 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PHPFusion/PHPFusion/issues/2351 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7BA6849-FDCE-4FD9-9ED9-B66B005F2945",
"versionEndExcluding": "9.10.00",
"versionStartIncluding": "9.03.90",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature."
}
],
"id": "CVE-2021-3172",
"lastModified": "2024-11-21T06:21:03.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-17T18:15:11.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2351"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2351"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-10-09 10:55
Modified
2024-11-21 01:22
Severity ?
Summary
Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://attrition.org/pipermail/vim/2010-August/002391.html | Exploit, Third Party Advisory | |
| cve@mitre.org | http://www.exploit-db.com/exploits/14647 | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/bid/42456 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://attrition.org/pipermail/vim/2010-August/002391.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/14647 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/42456 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BECDF2C9-B776-4BD6-A953-BFF0CBD8A344",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party"
},
{
"lang": "es",
"value": "**EN DISPUTA** Vulnerabilidad de salto de directorio en maincore.php in PHP-Fusion, permite a atacantes remotos incluir y ejecutar ficheros locales de su elecci\u00f3n al utilizar caracteres .. (punto punto) en el par\u00e1metro folder_level. NOTA: est\u00e1 disputada por un tercero de confianza"
}
],
"id": "CVE-2010-4931",
"lastModified": "2024-11-21T01:22:06.137",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-10-09T10:55:21.550",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://attrition.org/pipermail/vim/2010-August/002391.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/14647"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/42456"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://attrition.org/pipermail/vim/2010-August/002391.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/14647"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/42456"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-26 22:55
Modified
2024-11-21 01:45
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 7.02.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.04:*:*:*:*:*:*:*",
"matchCriteriaId": "92911880-2EDA-4A67-B8AE-FF2CB7DCA9BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en downloads.php en PHP-Fusion v7.02.04 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro cat_id."
}
],
"id": "CVE-2012-6043",
"lastModified": "2024-11-21T01:45:41.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-11-26T22:55:01.533",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/51365"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/51365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72311"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-09 22:30
Modified
2024-11-21 01:06
Severity ?
Summary
SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| x-iweb.ru | download_system_msf | * | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x-iweb.ru:download_system_msf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76E40DF1-2A0A-4765-953B-4F26CF5AAA47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en screen.php del m\u00f3dulo Download System mSF (dsmf) para PHP-Fusion, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"view_id\"."
}
],
"id": "CVE-2009-3119",
"lastModified": "2024-11-21T01:06:35.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-09T22:30:00.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36180"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/36180"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2469"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-08 00:15
Modified
2024-11-21 05:00
Severity ?
Summary
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/php-fusion/PHP-Fusion/issues/2309 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/php-fusion/PHP-Fusion/issues/2309 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 9.03.50 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*",
"matchCriteriaId": "0AB488D1-637D-4E18-A136-036994F7035F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle."
},
{
"lang": "es",
"value": "En el archivo administration/comments.php en PHP-Fusion versi\u00f3n 9.03.50, un atacante autenticado puede tomar ventaja de una vulnerabilidad de tipo XSS almacenado en la funcionalidad Preview Comment. El mecanismo de protecci\u00f3n pueda ser omitido por medio del uso de controladores de eventos HTML, tal y como ontoggle."
}
],
"id": "CVE-2020-12718",
"lastModified": "2024-11-21T05:00:08.400",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-08T00:15:11.987",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2309"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-07-07 19:00
Modified
2024-11-21 00:57
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | 6.01.17 | |
| php-fusion | php-fusion | 7.00.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:6.01.17:*:*:*:*:*:*:*",
"matchCriteriaId": "48294BDF-951F-4F06-B5E1-8C6F0C5592F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.00.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DAD29FD1-6C54-465D-A65A-A981E50F27A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en messages.php de PHP-Fusion v6.01.17 and v7.00.3, permite a usuarios remotos inyectar c\u00f3digo web y HTML a su elecci\u00f3n a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2008-6850",
"lastModified": "2024-11-21T00:57:37.433",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-07-07T19:00:00.233",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/51053"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33295"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=443"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/33058"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/51053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33295"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=443"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/33058"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47665"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-29 20:55
Modified
2024-11-21 01:50
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | php-fusion | * | |
| php-fusion | php-fusion | 7.02.01 | |
| php-fusion | php-fusion | 7.02.02 | |
| php-fusion | php-fusion | 7.02.03 | |
| php-fusion | php-fusion | 7.02.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B9F0261-3C99-444D-9F7B-766101BC9F61",
"versionEndIncluding": "7.02.05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*",
"matchCriteriaId": "0DA2B830-5DC6-42E8-882F-58AEAA9A5C5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*",
"matchCriteriaId": "9CC2526A-05C0-44B0-BB28-8B0A3A71157C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*",
"matchCriteriaId": "5F807AC1-7103-481C-B2CE-85C6B82C0941",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:7.02.04:*:*:*:*:*:*:*",
"matchCriteriaId": "92911880-2EDA-4A67-B8AE-FF2CB7DCA9BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) \"__BBCODE__\" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en PHP-Fusion anterior a 7.02.06 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del (1) par\u00e1metro highlight hacia forum/viewthread.php; o usuarios remotos autenticados con ciertos permisos inyectar script Web o HTML arbitrarios a trav\u00e9s del (2) par\u00e1metro user_list o (3) el par\u00e1metro user_types hacia messages.php; (4) el par\u00e1metro message hacia infusions/shoutbox_panel/shoutbox_admin.php; (5) el par\u00e1metro message hacia administration/news.php; (6) el par\u00e1metro panel_list hacia administration/panel_editor.php; (7) la cadena HTTP User Agent hacia administration/phpinfo.php; (8) el par\u00e1metro \"__BBCODE__\" hacia administration/bbcodes.php; el par\u00e1metro errorMessage hacia (9) article_cats.php, (10) download_cats.php, (11) news_cats.php o (12) weblink_cats.php en administration/, cuando el error es 3; o (13) el par\u00e1metro body o (14) body2 hacia administration/articles.php."
}
],
"id": "CVE-2013-1804",
"lastModified": "2024-11-21T01:50:25.407",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-29T20:55:08.747",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90707"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/90708"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52403"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "secalert@redhat.com",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90707"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/90708"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.waraxe.us/advisory-97.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-05 20:30
Modified
2024-11-21 01:01
Severity ?
Summary
SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| php-fusion | members_cv_module | 1.0 | |
| php-fusion | php-fusion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:members_cv_module:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24E11A1E-1EF6-4844-8F96-8BF36536A694",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php-fusion:php-fusion:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3E18BD-EA3F-4136-A256-A6A74F7066DD",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en members.php en el m\u00f3dulo Members CV (job) v1.0 para PHP-Fusion, cuando magic_quotes_gpc no est\u00e1 activo, permite a usuarios remotos autenticados ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"sortby\"."
}
],
"id": "CVE-2009-0831",
"lastModified": "2024-11-21T01:01:00.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-03-05T20:30:00.687",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33424"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33156"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33156"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7697"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2008-5074
Vulnerability from cvelistv5
Published
2008-11-14 16:00
Modified
2024-08-07 10:40
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the linkid parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/45504 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/31469 | vdb-entry, x_refsource_BID | |
| http://securityreason.com/securityalert/4594 | third-party-advisory, x_refsource_SREASON | |
| https://www.exploit-db.com/exploits/6620 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:40:17.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "freshlinks-index-sql-injection(45504)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45504"
},
{
"name": "31469",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31469"
},
{
"name": "4594",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4594"
},
{
"name": "6620",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/6620"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the linkid parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "freshlinks-index-sql-injection(45504)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45504"
},
{
"name": "31469",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31469"
},
{
"name": "4594",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4594"
},
{
"name": "6620",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/6620"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5074",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the linkid parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "freshlinks-index-sql-injection(45504)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45504"
},
{
"name": "31469",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31469"
},
{
"name": "4594",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4594"
},
{
"name": "6620",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/6620"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5074",
"datePublished": "2008-11-14T16:00:00",
"dateReserved": "2008-11-14T00:00:00",
"dateUpdated": "2024-08-07T10:40:17.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-6043
Vulnerability from cvelistv5
Published
2012-11-26 22:00
Modified
2024-08-06 21:21
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/72311 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/51365 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:21:28.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "phpfusion-downloads-xss(72311)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72311"
},
{
"name": "51365",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/51365"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-01-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "phpfusion-downloads-xss(72311)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72311"
},
{
"name": "51365",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/51365"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "phpfusion-downloads-xss(72311)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72311"
},
{
"name": "51365",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/51365"
},
{
"name": "http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6043",
"datePublished": "2012-11-26T22:00:00",
"dateReserved": "2012-11-26T00:00:00",
"dateUpdated": "2024-08-06T21:21:28.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23702
Vulnerability from cvelistv5
Published
2021-07-07 18:56
Modified
2024-08-04 15:05
Severity ?
EPSS score ?
Summary
Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via 'New Shout' in /infusions/shoutbox_panel/shoutbox_admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG | x_refsource_MISC | |
| https://github.com/phpfusion/PHPFusion/issues/2328 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:05:10.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2328"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via \u0027New Shout\u0027 in /infusions/shoutbox_panel/shoutbox_admin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-07T18:56:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2328"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via \u0027New Shout\u0027 in /infusions/shoutbox_panel/shoutbox_admin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG",
"refsource": "MISC",
"url": "https://user-images.githubusercontent.com/62001260/82175522-47169980-98fe-11ea-9a8e-93622aab7cf4.PNG"
},
{
"name": "https://github.com/phpfusion/PHPFusion/issues/2328",
"refsource": "MISC",
"url": "https://github.com/phpfusion/PHPFusion/issues/2328"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23702",
"datePublished": "2021-07-07T18:56:55",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:05:10.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12461
Vulnerability from cvelistv5
Published
2020-04-29 16:14
Modified
2024-08-04 11:56
Severity ?
EPSS score ?
Summary
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/issues/2308 | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2 | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:56:52.071Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2308"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-29T16:14:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2308"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12461",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA",
"refsource": "MISC",
"url": "https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2308",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2308"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12461",
"datePublished": "2020-04-29T16:14:26",
"dateReserved": "2020-04-29T00:00:00",
"dateUpdated": "2024-08-04T11:56:52.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-17450
Vulnerability from cvelistv5
Published
2020-08-12 21:49
Modified
2024-08-04 13:53
Severity ?
EPSS score ?
Summary
PHP-Fusion 9.03 allows XSS on the preview page.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-02-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03 allows XSS on the preview page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-12T21:49:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-17450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP-Fusion 9.03 allows XSS on the preview page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/",
"refsource": "MISC",
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-17450",
"datePublished": "2020-08-12T21:49:46",
"dateReserved": "2020-08-09T00:00:00",
"dateUpdated": "2024-08-04T13:53:17.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1806
Vulnerability from cvelistv5
Published
2014-04-30 22:00
Modified
2024-08-06 15:13
Severity ?
EPSS score ?
Summary
Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.waraxe.us/advisory-97.html | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/03/03/2 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2013/03/03/1 | mailing-list, x_refsource_MLIST | |
| http://www.osvdb.org/90692 | vdb-entry, x_refsource_OSVDB | |
| http://www.osvdb.org/90694 | vdb-entry, x_refsource_OSVDB | |
| http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html | x_refsource_MISC | |
| http://www.php-fusion.co.uk/news.php?readmore=569 | x_refsource_CONFIRM | |
| http://www.osvdb.org/90696 | vdb-entry, x_refsource_OSVDB | |
| http://seclists.org/fulldisclosure/2013/Feb/154 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:33.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90692",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90692"
},
{
"name": "90694",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90694"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "90696",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90696"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-30T21:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90692",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90692"
},
{
"name": "90694",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90694"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "90696",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90696"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.waraxe.us/advisory-97.html",
"refsource": "MISC",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90692",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/90692"
},
{
"name": "90694",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/90694"
},
{
"name": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=569",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "90696",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/90696"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1806",
"datePublished": "2014-04-30T22:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:13:33.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-5197
Vulnerability from cvelistv5
Published
2008-11-21 17:00
Modified
2024-08-07 10:40
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action.
References
| ▼ | URL | Tags |
|---|---|---|
| http://securityreason.com/securityalert/4640 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/bid/29995 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/43561 | vdb-entry, x_refsource_XF | |
| https://www.exploit-db.com/exploits/5961 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:40:17.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "4640",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4640"
},
{
"name": "29995",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/29995"
},
{
"name": "classifieds-classifieds-sql-injection(43561)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43561"
},
{
"name": "5961",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/5961"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-06-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "4640",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4640"
},
{
"name": "29995",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/29995"
},
{
"name": "classifieds-classifieds-sql-injection(43561)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43561"
},
{
"name": "5961",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/5961"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5197",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "4640",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4640"
},
{
"name": "29995",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/29995"
},
{
"name": "classifieds-classifieds-sql-injection(43561)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43561"
},
{
"name": "5961",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/5961"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5197",
"datePublished": "2008-11-21T17:00:00",
"dateReserved": "2008-11-21T00:00:00",
"dateUpdated": "2024-08-07T10:40:17.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3172
Vulnerability from cvelistv5
Published
2023-02-17 00:00
Modified
2024-08-03 16:45
Severity ?
EPSS score ?
Summary
An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2351"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-17T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/PHPFusion/PHPFusion/issues/2351"
},
{
"url": "https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3172",
"datePublished": "2023-02-17T00:00:00",
"dateReserved": "2021-01-18T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7375
Vulnerability from cvelistv5
Published
2014-05-05 17:00
Modified
2024-08-06 18:09
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.waraxe.us/advisory-97.html | x_refsource_MISC | |
| http://osvdb.org/show/osvdb/90359 | vdb-entry, x_refsource_OSVDB | |
| http://seclists.org/bugtraq/2013/Feb/80 | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html | x_refsource_MISC | |
| https://vndh.net/note:php-fusion-70205-sql-injection | x_refsource_MISC | |
| http://www.securityfocus.com/bid/58011 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2013/Feb/154 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:09:16.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "90359",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/90359"
},
{
"name": "20130216 PHP-Fusion 7.02.05 SQL Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://seclists.org/bugtraq/2013/Feb/80"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vndh.net/note:php-fusion-70205-sql-injection"
},
{
"name": "58011",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58011"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-29T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "90359",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/90359"
},
{
"name": "20130216 PHP-Fusion 7.02.05 SQL Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://seclists.org/bugtraq/2013/Feb/80"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vndh.net/note:php-fusion-70205-sql-injection"
},
{
"name": "58011",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58011"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7375",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.waraxe.us/advisory-97.html",
"refsource": "MISC",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "90359",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/90359"
},
{
"name": "20130216 PHP-Fusion 7.02.05 SQL Injection",
"refsource": "BUGTRAQ",
"url": "http://seclists.org/bugtraq/2013/Feb/80"
},
{
"name": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"name": "https://vndh.net/note:php-fusion-70205-sql-injection",
"refsource": "MISC",
"url": "https://vndh.net/note:php-fusion-70205-sql-injection"
},
{
"name": "58011",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/58011"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120368/PHP-Fusion-CMS-7.02.05-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7375",
"datePublished": "2014-05-05T17:00:00",
"dateReserved": "2014-05-05T00:00:00",
"dateUpdated": "2024-08-06T18:09:16.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1803
Vulnerability from cvelistv5
Published
2014-05-05 17:00
Modified
2024-08-06 15:13
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with "delete_attach_" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.waraxe.us/advisory-97.html | x_refsource_MISC | |
| http://osvdb.org/show/osvdb/90714 | vdb-entry, x_refsource_OSVDB | |
| http://www.openwall.com/lists/oss-security/2013/03/03/2 | mailing-list, x_refsource_MLIST | |
| http://osvdb.org/90710 | vdb-entry, x_refsource_OSVDB | |
| http://www.openwall.com/lists/oss-security/2013/03/03/1 | mailing-list, x_refsource_MLIST | |
| http://osvdb.org/90712 | vdb-entry, x_refsource_OSVDB | |
| http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html | x_refsource_MISC | |
| http://www.php-fusion.co.uk/news.php?readmore=569 | x_refsource_CONFIRM | |
| http://osvdb.org/90709 | vdb-entry, x_refsource_OSVDB | |
| http://osvdb.org/90713 | vdb-entry, x_refsource_OSVDB | |
| http://osvdb.org/90711 | vdb-entry, x_refsource_OSVDB | |
| http://osvdb.org/90693 | vdb-entry, x_refsource_OSVDB | |
| http://osvdb.org/90695 | vdb-entry, x_refsource_OSVDB | |
| http://seclists.org/fulldisclosure/2013/Feb/154 | mailing-list, x_refsource_FULLDISC | |
| http://secunia.com/advisories/52403 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:33.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "90714",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/90714"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "90710",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90710"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90712",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90712"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "90709",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90709"
},
{
"name": "90713",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90713"
},
{
"name": "90711",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90711"
},
{
"name": "90693",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90693"
},
{
"name": "90695",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90695"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "52403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52403"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with \"delete_attach_\" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-05T16:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "90714",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/90714"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "90710",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90710"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90712",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90712"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "90709",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90709"
},
{
"name": "90713",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90713"
},
{
"name": "90711",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90711"
},
{
"name": "90693",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90693"
},
{
"name": "90695",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90695"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "52403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52403"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1803",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with \"delete_attach_\" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.waraxe.us/advisory-97.html",
"refsource": "MISC",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "90714",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/90714"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "90710",
"refsource": "OSVDB",
"url": "http://osvdb.org/90710"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90712",
"refsource": "OSVDB",
"url": "http://osvdb.org/90712"
},
{
"name": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=569",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "90709",
"refsource": "OSVDB",
"url": "http://osvdb.org/90709"
},
{
"name": "90713",
"refsource": "OSVDB",
"url": "http://osvdb.org/90713"
},
{
"name": "90711",
"refsource": "OSVDB",
"url": "http://osvdb.org/90711"
},
{
"name": "90693",
"refsource": "OSVDB",
"url": "http://osvdb.org/90693"
},
{
"name": "90695",
"refsource": "OSVDB",
"url": "http://osvdb.org/90695"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "52403",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/52403"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1803",
"datePublished": "2014-05-05T17:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:13:33.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15041
Vulnerability from cvelistv5
Published
2020-06-24 20:33
Modified
2024-08-04 13:00
Severity ?
EPSS score ?
Summary
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2330 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:00:52.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2330"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-24T20:33:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2330"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15041",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2330",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2330"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15041",
"datePublished": "2020-06-24T20:33:34",
"dateReserved": "2020-06-24T00:00:00",
"dateUpdated": "2024-08-04T13:00:52.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23181
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpfusion/PHPFusion/issues/2326 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2326"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Manage Theme\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2326"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23181",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Manage Theme\" field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpfusion/PHPFusion/issues/2326",
"refsource": "MISC",
"url": "https://github.com/phpfusion/PHPFusion/issues/2326"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23181",
"datePublished": "2021-07-02T17:51:09",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23658
Vulnerability from cvelistv5
Published
2020-08-26 17:11
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2325 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:15.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2325"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-26T17:11:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2325"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23658",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2325",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2325"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23658",
"datePublished": "2020-08-26T17:11:38",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:15.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-4931
Vulnerability from cvelistv5
Published
2011-10-09 10:00
Modified
2024-09-16 20:07
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/42456 | vdb-entry, x_refsource_BID | |
| http://www.exploit-db.com/exploits/14647 | exploit, x_refsource_EXPLOIT-DB | |
| http://attrition.org/pipermail/vim/2010-August/002391.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:02:30.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "42456",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/42456"
},
{
"name": "14647",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/14647"
},
{
"name": "[vim] 20100816 PHP-Fusion Local File Inclusion Vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://attrition.org/pipermail/vim/2010-August/002391.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-10-09T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "42456",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/42456"
},
{
"name": "14647",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/14647"
},
{
"name": "[vim] 20100816 PHP-Fusion Local File Inclusion Vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://attrition.org/pipermail/vim/2010-August/002391.html"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4931",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "42456",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/42456"
},
{
"name": "14647",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/14647"
},
{
"name": "[vim] 20100816 PHP-Fusion Local File Inclusion Vulnerability",
"refsource": "MLIST",
"url": "http://attrition.org/pipermail/vim/2010-August/002391.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4931",
"datePublished": "2011-10-09T10:00:00Z",
"dateReserved": "2011-10-09T00:00:00Z",
"dateUpdated": "2024-09-16T20:07:27.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-8375
Vulnerability from cvelistv5
Published
2017-09-25 21:00
Modified
2024-08-06 08:13
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gist.github.com/bscarvell/57f82000bf823071404e | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2015/11/29/4 | mailing-list, x_refsource_MLIST | |
| https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66 | x_refsource_CONFIRM | |
| http://cve.killedkenny.io/cve/CVE-2015-8375 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/bscarvell/57f82000bf823071404e"
},
{
"name": "[oss-security] 20151129 Re: CVE request: XSS to RCE in PHP-Fusion 9",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/29/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://cve.killedkenny.io/cve/CVE-2015-8375"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in PHP-Fusion 9."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-25T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/bscarvell/57f82000bf823071404e"
},
{
"name": "[oss-security] 20151129 Re: CVE request: XSS to RCE in PHP-Fusion 9",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/11/29/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://cve.killedkenny.io/cve/CVE-2015-8375"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8375",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in PHP-Fusion 9."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gist.github.com/bscarvell/57f82000bf823071404e",
"refsource": "CONFIRM",
"url": "https://gist.github.com/bscarvell/57f82000bf823071404e"
},
{
"name": "[oss-security] 20151129 Re: CVE request: XSS to RCE in PHP-Fusion 9",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/11/29/4"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66",
"refsource": "CONFIRM",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66"
},
{
"name": "http://cve.killedkenny.io/cve/CVE-2015-8375",
"refsource": "MISC",
"url": "http://cve.killedkenny.io/cve/CVE-2015-8375"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8375",
"datePublished": "2017-09-25T21:00:00",
"dateReserved": "2015-11-29T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-4791
Vulnerability from cvelistv5
Published
2011-04-27 00:00
Modified
2024-08-07 04:02
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/41752 | third-party-advisory, x_refsource_SECUNIA | |
| http://securityreason.com/securityalert/8219 | third-party-advisory, x_refsource_SREASON | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/62382 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/43901 | vdb-entry, x_refsource_BID | |
| http://www.exploit-db.com/exploits/15227 | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:02:29.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "41752",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41752"
},
{
"name": "8219",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/8219"
},
{
"name": "phpfusion-fotoalbum-oalbum-sql-injection(62382)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62382"
},
{
"name": "43901",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/43901"
},
{
"name": "15227",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15227"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "41752",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41752"
},
{
"name": "8219",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/8219"
},
{
"name": "phpfusion-fotoalbum-oalbum-sql-injection(62382)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62382"
},
{
"name": "43901",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/43901"
},
{
"name": "15227",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15227"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4791",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "41752",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41752"
},
{
"name": "8219",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/8219"
},
{
"name": "phpfusion-fotoalbum-oalbum-sql-injection(62382)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62382"
},
{
"name": "43901",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/43901"
},
{
"name": "15227",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15227"
},
{
"name": "http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/1010-exploits/phpfusionmguser-sql.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4791",
"datePublished": "2011-04-27T00:00:00",
"dateReserved": "2011-04-26T00:00:00",
"dateUpdated": "2024-08-07T04:02:29.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23178
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PHPFusion/PHPFusion/issues/2314 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2314"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2314"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23178",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PHPFusion/PHPFusion/issues/2314",
"refsource": "MISC",
"url": "https://github.com/PHPFusion/PHPFusion/issues/2314"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23178",
"datePublished": "2021-07-02T17:51:05",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12718
Vulnerability from cvelistv5
Published
2020-05-07 23:29
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2309 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.777Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2309"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-07T23:29:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2309"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2309",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2309"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12718",
"datePublished": "2020-05-07T23:29:26",
"dateReserved": "2020-05-07T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-17449
Vulnerability from cvelistv5
Published
2020-08-12 21:47
Modified
2024-08-04 13:53
Severity ?
EPSS score ?
Summary
PHP-Fusion 9.03 allows XSS via the error_log file.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-02-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion 9.03 allows XSS via the error_log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-12T21:47:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-17449",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP-Fusion 9.03 allows XSS via the error_log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/",
"refsource": "MISC",
"url": "https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-17449",
"datePublished": "2020-08-12T21:47:28",
"dateReserved": "2020-08-09T00:00:00",
"dateUpdated": "2024-08-04T13:53:17.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12708
Vulnerability from cvelistv5
Published
2020-05-07 19:07
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2310 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2310"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-07T19:07:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2310"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12708",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2310",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2310"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12708",
"datePublished": "2020-05-07T19:07:58",
"dateReserved": "2020-05-07T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-8596
Vulnerability from cvelistv5
Published
2014-11-17 16:00
Modified
2024-08-06 13:26
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/98583 | vdb-entry, x_refsource_XF | |
| http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html | x_refsource_MISC | |
| http://osvdb.org/show/osvdb/112419 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/35206 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/71053 | vdb-entry, x_refsource_BID | |
| https://www.xlabs.com.br/blog/?p=282 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2015/Oct/23 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:00.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "php-fusion-cve20148596-sql-injection(98583)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98583"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html"
},
{
"name": "112419",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/112419"
},
{
"name": "35206",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/35206"
},
{
"name": "71053",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/71053"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.xlabs.com.br/blog/?p=282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html"
},
{
"name": "20151005 Blind SQL Injection in admin panel PHP-Fusion \u003c= v7.02.07",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Oct/23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "php-fusion-cve20148596-sql-injection(98583)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98583"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html"
},
{
"name": "112419",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/112419"
},
{
"name": "35206",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/35206"
},
{
"name": "71053",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/71053"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.xlabs.com.br/blog/?p=282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html"
},
{
"name": "20151005 Blind SQL Injection in admin panel PHP-Fusion \u003c= v7.02.07",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Oct/23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8596",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "php-fusion-cve20148596-sql-injection(98583)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98583"
},
{
"name": "http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133869/PHP-Fusion-7.02.07-Blind-SQL-Injection.html"
},
{
"name": "112419",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/112419"
},
{
"name": "35206",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/35206"
},
{
"name": "71053",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/71053"
},
{
"name": "https://www.xlabs.com.br/blog/?p=282",
"refsource": "MISC",
"url": "https://www.xlabs.com.br/blog/?p=282"
},
{
"name": "http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129053/PHP-Fusion-7.02.07-SQL-Injection.html"
},
{
"name": "20151005 Blind SQL Injection in admin panel PHP-Fusion \u003c= v7.02.07",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Oct/23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8596",
"datePublished": "2014-11-17T16:00:00",
"dateReserved": "2014-11-04T00:00:00",
"dateUpdated": "2024-08-06T13:26:00.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-5335
Vulnerability from cvelistv5
Published
2008-12-05 01:00
Modified
2024-08-07 10:49
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46760 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/32781 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.php-fusion.co.uk/news.php?readmore=435 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/32388 | vdb-entry, x_refsource_BID | |
| http://www.php-fusion.co.uk/downloads.php?cat_id=19 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2008/3248 | vdb-entry, x_refsource_VUPEN | |
| http://securityreason.com/securityalert/4688 | third-party-advisory, x_refsource_SREASON | |
| http://osvdb.org/50065 | vdb-entry, x_refsource_OSVDB | |
| http://www.php-fusion.co.uk/news.php?readmore=436 | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/7173 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:49:12.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "phpfusion-msgsend-sql-injection(46760)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46760"
},
{
"name": "32781",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32781"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=435"
},
{
"name": "32388",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32388"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/downloads.php?cat_id=19"
},
{
"name": "ADV-2008-3248",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/3248"
},
{
"name": "4688",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4688"
},
{
"name": "50065",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/50065"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=436"
},
{
"name": "7173",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7173"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "phpfusion-msgsend-sql-injection(46760)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46760"
},
{
"name": "32781",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32781"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=435"
},
{
"name": "32388",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32388"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/downloads.php?cat_id=19"
},
{
"name": "ADV-2008-3248",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/3248"
},
{
"name": "4688",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4688"
},
{
"name": "50065",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/50065"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=436"
},
{
"name": "7173",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7173"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5335",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "phpfusion-msgsend-sql-injection(46760)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46760"
},
{
"name": "32781",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32781"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=435",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=435"
},
{
"name": "32388",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32388"
},
{
"name": "http://www.php-fusion.co.uk/downloads.php?cat_id=19",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/downloads.php?cat_id=19"
},
{
"name": "ADV-2008-3248",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/3248"
},
{
"name": "4688",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4688"
},
{
"name": "50065",
"refsource": "OSVDB",
"url": "http://osvdb.org/50065"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=436",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=436"
},
{
"name": "7173",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7173"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5335",
"datePublished": "2008-12-05T01:00:00",
"dateReserved": "2008-12-04T00:00:00",
"dateUpdated": "2024-08-07T10:49:12.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12099
Vulnerability from cvelistv5
Published
2019-05-14 20:55
Modified
2024-08-04 23:10
Severity ?
EPSS score ?
Summary
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/46839 | x_refsource_MISC | |
| https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46839"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-14T20:55:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46839"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12099",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/46839",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46839"
},
{
"name": "https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12099",
"datePublished": "2019-05-14T20:55:38",
"dateReserved": "2019-05-14T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12706
Vulnerability from cvelistv5
Published
2020-05-07 19:09
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2306 | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/48404 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.857Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2306"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/48404"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-07T19:09:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2306"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/48404"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12706",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2306",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2306"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f"
},
{
"name": "https://www.exploit-db.com/exploits/48404",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/48404"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12706",
"datePublished": "2020-05-07T19:09:20",
"dateReserved": "2020-05-07T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12438
Vulnerability from cvelistv5
Published
2020-04-28 20:51
Modified
2024-08-04 11:56
Severity ?
EPSS score ?
Summary
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8 | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/issues/2307 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:56:51.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-28T20:51:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2307"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12438",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/c36006f900d855f1173f81cea1a774295049f4d8"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2307",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2307"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12438",
"datePublished": "2020-04-28T20:51:35",
"dateReserved": "2020-04-28T00:00:00",
"dateUpdated": "2024-08-04T11:56:51.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-5946
Vulnerability from cvelistv5
Published
2009-01-22 11:00
Modified
2024-08-07 11:13
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/30680/exploit | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/44456 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/30680 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:13:13.847Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/30680/exploit"
},
{
"name": "phpfusion-readmore-sql-injection(44456)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44456"
},
{
"name": "30680",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/30680"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/30680/exploit"
},
{
"name": "phpfusion-readmore-sql-injection(44456)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44456"
},
{
"name": "30680",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/30680"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.securityfocus.com/bid/30680/exploit",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/30680/exploit"
},
{
"name": "phpfusion-readmore-sql-injection(44456)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44456"
},
{
"name": "30680",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/30680"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5946",
"datePublished": "2009-01-22T11:00:00",
"dateReserved": "2009-01-21T00:00:00",
"dateUpdated": "2024-08-07T11:13:13.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35952
Vulnerability from cvelistv5
Published
2021-01-03 03:49
Modified
2024-08-04 17:16
Severity ?
EPSS score ?
Summary
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PHPFusion/PHPFusion/issues/2346 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:16:13.461Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2346"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single \"Incorrect username or password\" message in both cases), which might allow enumeration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-03T03:49:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2346"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single \"Incorrect username or password\" message in both cases), which might allow enumeration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PHPFusion/PHPFusion/issues/2346",
"refsource": "MISC",
"url": "https://github.com/PHPFusion/PHPFusion/issues/2346"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35952",
"datePublished": "2021-01-03T03:49:31",
"dateReserved": "2021-01-03T00:00:00",
"dateUpdated": "2024-08-04T17:16:13.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-3119
Vulnerability from cvelistv5
Published
2009-09-09 22:00
Modified
2024-09-17 02:02
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2009/2469 | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/36180 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:14:56.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2009-2469",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2469"
},
{
"name": "36180",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36180"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-09-09T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2009-2469",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2469"
},
{
"name": "36180",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36180"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3119",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2009-2469",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2469"
},
{
"name": "36180",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36180"
},
{
"name": "http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/0908-exploits/phpfusiondsmsf-sql.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3119",
"datePublished": "2009-09-09T22:00:00Z",
"dateReserved": "2009-09-09T00:00:00Z",
"dateUpdated": "2024-09-17T02:02:44.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1804
Vulnerability from cvelistv5
Published
2014-04-29 20:00
Modified
2024-08-06 15:13
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.waraxe.us/advisory-97.html | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/03/03/2 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2013/03/03/1 | mailing-list, x_refsource_MLIST | |
| http://osvdb.org/90707 | vdb-entry, x_refsource_OSVDB | |
| http://osvdb.org/90708 | vdb-entry, x_refsource_OSVDB | |
| http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html | x_refsource_MISC | |
| http://www.php-fusion.co.uk/news.php?readmore=569 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2013/Feb/154 | mailing-list, x_refsource_FULLDISC | |
| http://secunia.com/advisories/52403 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:33.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90707",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90707"
},
{
"name": "90708",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/90708"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "52403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52403"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) \"__BBCODE__\" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-29T19:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90707",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90707"
},
{
"name": "90708",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/90708"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "52403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52403"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1804",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) \"__BBCODE__\" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.waraxe.us/advisory-97.html",
"refsource": "MISC",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90707",
"refsource": "OSVDB",
"url": "http://osvdb.org/90707"
},
{
"name": "90708",
"refsource": "OSVDB",
"url": "http://osvdb.org/90708"
},
{
"name": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=569",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
},
{
"name": "52403",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/52403"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1804",
"datePublished": "2014-04-29T20:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:13:33.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1807
Vulnerability from cvelistv5
Published
2014-04-30 22:00
Modified
2024-08-06 15:13
Severity ?
EPSS score ?
Summary
PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.waraxe.us/advisory-97.html | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/03/03/2 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2013/03/03/1 | mailing-list, x_refsource_MLIST | |
| http://www.osvdb.org/90691 | vdb-entry, x_refsource_OSVDB | |
| http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html | x_refsource_MISC | |
| http://www.php-fusion.co.uk/news.php?readmore=569 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2013/Feb/154 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:32.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90691",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90691"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-30T21:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90691",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90691"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.waraxe.us/advisory-97.html",
"refsource": "MISC",
"url": "http://www.waraxe.us/advisory-97.html"
},
{
"name": "[oss-security] 20130302 Re: CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/2"
},
{
"name": "[oss-security] 20130303 CVE request: PHP-Fusion waraxe-2013-SA#097",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/03/03/1"
},
{
"name": "90691",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/90691"
},
{
"name": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=569",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=569"
},
{
"name": "20130228 [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Feb/154"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1807",
"datePublished": "2014-04-30T22:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:13:32.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1918
Vulnerability from cvelistv5
Published
2008-04-22 16:00
Modified
2024-08-07 08:40
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/33295 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.php-fusion.co.uk/news.php | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41914 | vdb-entry, x_refsource_XF | |
| https://www.exploit-db.com/exploits/5470 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.vupen.com/english/advisories/2008/1318/references | vdb-entry, x_refsource_VUPEN | |
| https://www.exploit-db.com/exploits/7576 | exploit, x_refsource_EXPLOIT-DB | |
| http://secunia.com/advisories/29930 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/28855 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/51052 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/47610 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:40:59.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "33295",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33295"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php"
},
{
"name": "phpfusion-submit-sql-injection(41914)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41914"
},
{
"name": "5470",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/5470"
},
{
"name": "ADV-2008-1318",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/1318/references"
},
{
"name": "7576",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7576"
},
{
"name": "29930",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29930"
},
{
"name": "28855",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28855"
},
{
"name": "51052",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/51052"
},
{
"name": "phpfusion-submitinfo-sql-injection(47610)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47610"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "33295",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33295"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php"
},
{
"name": "phpfusion-submit-sql-injection(41914)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41914"
},
{
"name": "5470",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/5470"
},
{
"name": "ADV-2008-1318",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/1318/references"
},
{
"name": "7576",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7576"
},
{
"name": "29930",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29930"
},
{
"name": "28855",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28855"
},
{
"name": "51052",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/51052"
},
{
"name": "phpfusion-submitinfo-sql-injection(47610)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47610"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "33295",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33295"
},
{
"name": "http://www.php-fusion.co.uk/news.php",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php"
},
{
"name": "phpfusion-submit-sql-injection(41914)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41914"
},
{
"name": "5470",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/5470"
},
{
"name": "ADV-2008-1318",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/1318/references"
},
{
"name": "7576",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7576"
},
{
"name": "29930",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29930"
},
{
"name": "28855",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28855"
},
{
"name": "51052",
"refsource": "OSVDB",
"url": "http://osvdb.org/51052"
},
{
"name": "phpfusion-submitinfo-sql-injection(47610)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47610"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1918",
"datePublished": "2008-04-22T16:00:00",
"dateReserved": "2008-04-22T00:00:00",
"dateUpdated": "2024-08-07T08:40:59.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-4889
Vulnerability from cvelistv5
Published
2010-06-11 14:00
Modified
2024-08-07 07:17
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/8186 | exploit, x_refsource_EXPLOIT-DB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/49160 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/34049 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:17:26.064Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "8186",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/8186"
},
{
"name": "bookpanel-books-sql-injection(49160)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49160"
},
{
"name": "34049",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/34049"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "8186",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/8186"
},
{
"name": "bookpanel-books-sql-injection(49160)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49160"
},
{
"name": "34049",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/34049"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-4889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "8186",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/8186"
},
{
"name": "bookpanel-books-sql-injection(49160)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49160"
},
{
"name": "34049",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/34049"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-4889",
"datePublished": "2010-06-11T14:00:00",
"dateReserved": "2010-06-11T00:00:00",
"dateUpdated": "2024-08-07T07:17:26.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23179
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer" field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PHPFusion/PHPFusion/issues/2320 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2320"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Site footer\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PHPFusion/PHPFusion/issues/2320"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23179",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Site footer\" field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PHPFusion/PHPFusion/issues/2320",
"refsource": "MISC",
"url": "https://github.com/PHPFusion/PHPFusion/issues/2320"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23179",
"datePublished": "2021-07-02T17:51:07",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-5196
Vulnerability from cvelistv5
Published
2008-11-21 17:00
Modified
2024-08-07 10:40
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/5942 | exploit, x_refsource_EXPLOIT-DB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/43462 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/29976 | vdb-entry, x_refsource_BID | |
| http://securityreason.com/securityalert/4639 | third-party-advisory, x_refsource_SREASON |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:40:17.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "5942",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/5942"
},
{
"name": "kroax-kroax-sql-injection(43462)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43462"
},
{
"name": "29976",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/29976"
},
{
"name": "4639",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4639"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-06-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "5942",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/5942"
},
{
"name": "kroax-kroax-sql-injection(43462)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43462"
},
{
"name": "29976",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/29976"
},
{
"name": "4639",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4639"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5196",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "5942",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/5942"
},
{
"name": "kroax-kroax-sql-injection(43462)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43462"
},
{
"name": "29976",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/29976"
},
{
"name": "4639",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4639"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5196",
"datePublished": "2008-11-21T17:00:00",
"dateReserved": "2008-11-21T00:00:00",
"dateUpdated": "2024-08-07T10:40:17.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14960
Vulnerability from cvelistv5
Published
2020-06-21 23:04
Modified
2024-08-04 13:00
Severity ?
EPSS score ?
Summary
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2327 | x_refsource_MISC | |
| https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5 | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/48487 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:00:52.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2327"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/48487"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-21T23:04:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2327"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/48487"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14960",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2327",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2327"
},
{
"name": "https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5"
},
{
"name": "https://www.exploit-db.com/exploits/48487",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/48487"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14960",
"datePublished": "2020-06-21T23:04:40",
"dateReserved": "2020-06-21T00:00:00",
"dateUpdated": "2024-08-04T13:00:52.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23182
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpfusion/PHPFusion/issues/2329 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:15.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2329"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2329"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpfusion/PHPFusion/issues/2329",
"refsource": "MISC",
"url": "https://github.com/phpfusion/PHPFusion/issues/2329"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23182",
"datePublished": "2021-07-02T17:51:11",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:15.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-0832
Vulnerability from cvelistv5
Published
2009-03-05 20:00
Modified
2024-08-07 04:48
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/7698 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/33155 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/499835/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:48:52.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "7698",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7698"
},
{
"name": "33155",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/33155"
},
{
"name": "20090107 PHP-Fusion Mod E-Cart Sql Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/499835/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-01-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "7698",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7698"
},
{
"name": "33155",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/33155"
},
{
"name": "20090107 PHP-Fusion Mod E-Cart Sql Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/499835/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-0832",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "7698",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7698"
},
{
"name": "33155",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/33155"
},
{
"name": "20090107 PHP-Fusion Mod E-Cart Sql Injection",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/499835/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-0832",
"datePublished": "2009-03-05T20:00:00",
"dateReserved": "2009-03-05T00:00:00",
"dateUpdated": "2024-08-07T04:48:52.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23185
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpfusion/PHPFusion/issues/2331 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2331"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2331"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpfusion/PHPFusion/issues/2331",
"refsource": "MISC",
"url": "https://github.com/phpfusion/PHPFusion/issues/2331"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23185",
"datePublished": "2021-07-02T17:51:16",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-3559
Vulnerability from cvelistv5
Published
2007-07-04 16:00
Modified
2024-08-07 14:21
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/ | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/35225 | vdb-entry, x_refsource_XF | |
| http://osvdb.org/36342 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/25907 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/24733 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:21:36.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/"
},
{
"name": "phpfusion-shoutboxpanel-xss(35225)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35225"
},
{
"name": "36342",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/36342"
},
{
"name": "25907",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25907"
},
{
"name": "24733",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/24733"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-07-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/"
},
{
"name": "phpfusion-shoutboxpanel-xss(35225)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35225"
},
{
"name": "36342",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/36342"
},
{
"name": "25907",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25907"
},
{
"name": "24733",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/24733"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3559",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/",
"refsource": "MISC",
"url": "http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability/"
},
{
"name": "phpfusion-shoutboxpanel-xss(35225)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35225"
},
{
"name": "36342",
"refsource": "OSVDB",
"url": "http://osvdb.org/36342"
},
{
"name": "25907",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25907"
},
{
"name": "24733",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/24733"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3559",
"datePublished": "2007-07-04T16:00:00",
"dateReserved": "2007-07-04T00:00:00",
"dateUpdated": "2024-08-07T14:21:36.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23184
Vulnerability from cvelistv5
Published
2021-07-02 17:51
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpfusion/PHPFusion/issues/2323 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2323"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Registration\" field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:51:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpfusion/PHPFusion/issues/2323"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \"Registration\" field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpfusion/PHPFusion/issues/2323",
"refsource": "MISC",
"url": "https://github.com/phpfusion/PHPFusion/issues/2323"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23184",
"datePublished": "2021-07-02T17:51:14",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:14.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-0831
Vulnerability from cvelistv5
Published
2009-03-05 20:00
Modified
2024-08-07 04:48
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/33424 | third-party-advisory, x_refsource_SECUNIA | |
| https://www.exploit-db.com/exploits/7697 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/33156 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:48:52.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "33424",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33424"
},
{
"name": "7697",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7697"
},
{
"name": "33156",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/33156"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-01-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "33424",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33424"
},
{
"name": "7697",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7697"
},
{
"name": "33156",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/33156"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-0831",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "33424",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33424"
},
{
"name": "7697",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7697"
},
{
"name": "33156",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/33156"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-0831",
"datePublished": "2009-03-05T20:00:00",
"dateReserved": "2009-03-05T00:00:00",
"dateUpdated": "2024-08-07T04:48:52.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-0512
Vulnerability from cvelistv5
Published
2011-01-20 18:00
Modified
2024-08-06 21:58
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/45826 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/70451 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/64727 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/42943 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.exploit-db.com/exploits/16004 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:58:25.834Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "45826",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45826"
},
{
"name": "70451",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/70451"
},
{
"name": "phpfusion-team-structure-sql-injection(64727)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64727"
},
{
"name": "42943",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42943"
},
{
"name": "16004",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/16004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-01-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "45826",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45826"
},
{
"name": "70451",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/70451"
},
{
"name": "phpfusion-team-structure-sql-injection(64727)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64727"
},
{
"name": "42943",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42943"
},
{
"name": "16004",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/16004"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-0512",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "45826",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45826"
},
{
"name": "70451",
"refsource": "OSVDB",
"url": "http://osvdb.org/70451"
},
{
"name": "phpfusion-team-structure-sql-injection(64727)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64727"
},
{
"name": "42943",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42943"
},
{
"name": "16004",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/16004"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-0512",
"datePublished": "2011-01-20T18:00:00",
"dateReserved": "2011-01-20T00:00:00",
"dateUpdated": "2024-08-06T21:58:25.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-5733
Vulnerability from cvelistv5
Published
2008-12-26 17:08
Modified
2024-08-07 11:04
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/51017 | vdb-entry, x_refsource_OSVDB | |
| https://www.exploit-db.com/exploits/7598 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/499583/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/33019 | vdb-entry, x_refsource_BID | |
| http://securityreason.com/securityalert/4814 | third-party-advisory, x_refsource_SREASON |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:04:44.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "51017",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/51017"
},
{
"name": "7598",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7598"
},
{
"name": "20081225 PHP-Fusion Mod TI - Blog System Sql Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/499583/100/0/threaded"
},
{
"name": "33019",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/33019"
},
{
"name": "4814",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4814"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-12-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "51017",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/51017"
},
{
"name": "7598",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7598"
},
{
"name": "20081225 PHP-Fusion Mod TI - Blog System Sql Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/499583/100/0/threaded"
},
{
"name": "33019",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/33019"
},
{
"name": "4814",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4814"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5733",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "51017",
"refsource": "OSVDB",
"url": "http://osvdb.org/51017"
},
{
"name": "7598",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7598"
},
{
"name": "20081225 PHP-Fusion Mod TI - Blog System Sql Injection",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/499583/100/0/threaded"
},
{
"name": "33019",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/33019"
},
{
"name": "4814",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4814"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5733",
"datePublished": "2008-12-26T17:08:00",
"dateReserved": "2008-12-26T00:00:00",
"dateUpdated": "2024-08-07T11:04:44.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-6850
Vulnerability from cvelistv5
Published
2009-07-07 18:35
Modified
2024-08-07 11:42
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/51053 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/33295 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/33058 | vdb-entry, x_refsource_BID | |
| http://www.php-fusion.co.uk/news.php?readmore=443 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/47665 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:42:00.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "51053",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/51053"
},
{
"name": "33295",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33295"
},
{
"name": "33058",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/33058"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=443"
},
{
"name": "phpfusion-messages-xss(47665)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47665"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-12-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "51053",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/51053"
},
{
"name": "33295",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33295"
},
{
"name": "33058",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/33058"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.php-fusion.co.uk/news.php?readmore=443"
},
{
"name": "phpfusion-messages-xss(47665)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47665"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6850",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "51053",
"refsource": "OSVDB",
"url": "http://osvdb.org/51053"
},
{
"name": "33295",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33295"
},
{
"name": "33058",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/33058"
},
{
"name": "http://www.php-fusion.co.uk/news.php?readmore=443",
"refsource": "CONFIRM",
"url": "http://www.php-fusion.co.uk/news.php?readmore=443"
},
{
"name": "phpfusion-messages-xss(47665)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47665"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6850",
"datePublished": "2009-07-07T18:35:00",
"dateReserved": "2009-07-07T00:00:00",
"dateUpdated": "2024-08-07T11:42:00.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-24949
Vulnerability from cvelistv5
Published
2020-09-03 13:51
Modified
2024-08-04 15:26
Severity ?
EPSS score ?
Summary
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/php-fusion/PHP-Fusion/issues/2312 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:08.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2312"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-28T15:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2312"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/php-fusion/PHP-Fusion/issues/2312",
"refsource": "MISC",
"url": "https://github.com/php-fusion/PHP-Fusion/issues/2312"
},
{
"name": "http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24949",
"datePublished": "2020-09-03T13:51:12",
"dateReserved": "2020-08-28T00:00:00",
"dateUpdated": "2024-08-04T15:26:08.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}