Vulnerabilities > PHP Fusion > PHP Fusion > 9.03

DATE CVE VULNERABILITY TITLE RISK
2021-01-03 CVE-2020-35952 Unspecified vulnerability in PHP-Fusion
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
network
low complexity
php-fusion
4.0
4.0
2020-08-12 CVE-2020-17450 Cross-site Scripting vulnerability in PHP-Fusion 9.0/9.00/9.03
PHP-Fusion 9.03 allows XSS on the preview page.
network
php-fusion CWE-79
4.3
4.3
2020-08-12 CVE-2020-17449 Cross-site Scripting vulnerability in PHP-Fusion 9.0/9.00/9.03
PHP-Fusion 9.03 allows XSS via the error_log file.
network
php-fusion CWE-79
3.5
3.5
2019-05-14 CVE-2019-12099 Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
network
low complexity
php-fusion CWE-434
critical
 9.0
9.0