Vulnerabilities > PHP Fusion

DATE CVE VULNERABILITY TITLE RISK
2021-01-13 CVE-2020-35687 Cross-Site Request Forgery (CSRF) vulnerability in PHP-Fusion PHPfusion 9.03.90
PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
4.3
2021-01-03 CVE-2020-35952 Unspecified vulnerability in PHP-Fusion
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
network
low complexity
php-fusion
4.0
2020-09-03 CVE-2020-24949 Improper Privilege Management vulnerability in PHP-Fusion 9.03.50
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
network
low complexity
php-fusion CWE-269
critical
9.0
2020-08-26 CVE-2020-23658 Cross-Site Scripting vulnerability in PHP-Fusion 9.03.60
PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.
network
php-fusion CWE-79
3.5
2020-08-12 CVE-2020-17450 Cross-Site Scripting vulnerability in PHP-Fusion 9.0/9.00/9.03
PHP-Fusion 9.03 allows XSS on the preview page.
network
php-fusion CWE-79
4.3
2020-08-12 CVE-2020-17449 Cross-Site Scripting vulnerability in PHP-Fusion 9.0/9.00/9.03
PHP-Fusion 9.03 allows XSS via the error_log file.
network
php-fusion CWE-79
3.5
2020-06-24 CVE-2020-15041 Cross-Site Scripting vulnerability in PHP-Fusion 9.03.60
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.
network
php-fusion CWE-79
3.5
2020-06-22 CVE-2020-14960 SQL Injection vulnerability in PHP-Fusion 9.03.50
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
network
low complexity
php-fusion CWE-89
6.5
2020-05-08 CVE-2020-12718 Cross-Site Scripting vulnerability in PHP-Fusion 9.03.50
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature.
network
php-fusion CWE-79
3.5
2020-05-07 CVE-2020-12708 Cross-Site Scripting vulnerability in PHP-Fusion 9.03.50
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php.
network
php-fusion CWE-79
4.3