Vulnerabilities > CVE-2020-35952 - Unspecified vulnerability in PHP-Fusion

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

php-fusion

NVD

Published: 2021-01-03

Updated: 2021-01-11

Summary

login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.

Vulnerable Configurations

Part	Description	Count
Application	Php-Fusion PHP Fusion PHP Fusion 9.0 PHP Fusion PHP Fusion 9.00 PHP Fusion PHP Fusion 9.03 PHP Fusion PHP Fusion 9.03.00 PHP Fusion PHP Fusion 9.03.10 PHP Fusion PHP Fusion 9.03.20 PHP Fusion PHP Fusion 9.03.30 PHP Fusion PHP Fusion 9.03.40 PHP Fusion PHP Fusion 9.03.50 PHP Fusion PHP Fusion 9.03.60 PHP Fusion PHP Fusion 9.03.70 PHP Fusion PHP Fusion 9.03.80	16

References

https://github.com/PHPFusion/PHPFusion/issues/2346