Vulnerabilities > PHP Fusion > High

DATE CVE VULNERABILITY TITLE RISK
2023-09-05 CVE-2023-2453 Inclusion of Functionality from Untrusted Control Sphere vulnerability in PHP-Fusion PHPfusion
There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement.
network
low complexity
php-fusion CWE-829
8.8
8.8
2023-02-17 CVE-2021-3172 Unspecified vulnerability in PHP-Fusion 9.03.90
An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature.
network
low complexity
php-fusion
8.1
8.1
2022-09-07 CVE-2022-3152 Improper Authentication vulnerability in PHP-Fusion PHPfusion
Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20.
network
low complexity
php-fusion CWE-287
8.8
8.8
2021-10-11 CVE-2021-40188 Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion PHPfusion 9.03.110
PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability.
network
low complexity
php-fusion CWE-434
7.2
7.2
2021-10-11 CVE-2021-40189 Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion PHPfusion 9.03.110
PHPFusion 9.03.110 is affected by a remote code execution vulnerability.
network
low complexity
php-fusion CWE-434
7.2
7.2
2020-09-03 CVE-2020-24949 Unspecified vulnerability in PHP-Fusion 9.03.50
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
network
low complexity
php-fusion
8.8
8.8
2020-06-22 CVE-2020-14960 SQL Injection vulnerability in PHP-Fusion 9.03.50
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
network
low complexity
php-fusion CWE-89
7.2
7.2
2020-04-29 CVE-2020-12461 SQL Injection vulnerability in PHP-Fusion 9.03.50
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism.
network
low complexity
php-fusion CWE-89
8.8
8.8
2019-05-14 CVE-2019-12099 Unrestricted Upload of File with Dangerous Type vulnerability in PHP-Fusion
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
network
low complexity
php-fusion CWE-434
8.8
8.8