Vulnerabilities > PHP Fusion > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-03 | CVE-2020-35952 | Unspecified vulnerability in PHP-Fusion login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. | 4.0 |
| 2020-08-12 | CVE-2020-17450 | Cross-site Scripting vulnerability in PHP-Fusion 9.0/9.00/9.03 PHP-Fusion 9.03 allows XSS on the preview page. | 4.3 |
| 2020-06-22 | CVE-2020-14960 | SQL Injection vulnerability in PHP-Fusion 9.03.50 A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter, | 6.5 |
| 2020-05-07 | CVE-2020-12708 | Cross-site Scripting vulnerability in PHP-Fusion 9.03.50 Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. | 4.3 |
| 2020-04-29 | CVE-2020-12461 | SQL Injection vulnerability in PHP-Fusion 9.03.50 PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. | 6.5 |
| 2014-04-30 | CVE-2013-1807 | Permissions, Privileges, and Access Controls vulnerability in PHP-Fusion PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/. | 5.0 |
| 2014-04-30 | CVE-2013-1806 | Path Traversal vulnerability in PHP-Fusion Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. | 6.5 |
| 2014-04-29 | CVE-2013-1804 | Cross-Site Scripting vulnerability in PHP-Fusion Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php. | 4.3 |
| 2012-11-26 | CVE-2012-6043 | Cross-Site Scripting vulnerability in PHP-Fusion 7.02.04 Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. | 4.3 |
| 2011-01-20 | CVE-2011-0512 | SQL Injection vulnerability in Jikaka Teams Structure Module 3.0 SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter. | 6.8 |