Vulnerabilities > PHP Fusion > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-07-07 | CVE-2008-6850 | Cross-Site Scripting vulnerability in PHP-Fusion 6.01.17/7.00.3 Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-03-05 | CVE-2009-0831 | SQL Injection vulnerability in PHP-Fusion Members CV Module 1.0 SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter. | 6.0 |
| 2008-12-05 | CVE-2008-5335 | SQL Injection vulnerability in PHP-Fusion 6.01.15/7.00.1 SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459. | 6.8 |
| 2008-05-14 | CVE-2008-2227 | Path Traversal vulnerability in PHP-Fusion Forum Rank System 6 Multiple directory traversal vulnerabilities in PHP-Fusion Forum Rank System 6 allow remote attackers to include and execute arbitrary local files via a .. | 6.8 |
| 2008-04-23 | CVE-2008-1918 | SQL Injection vulnerability in PHP-Fusion 6.00.307/6.01.14 SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. | 6.0 |
| 2006-07-13 | CVE-2006-3555 | HTML Injection vulnerability in PHP-Fusion Avatar Image Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer. network php-fusion | 5.8 |
| 2006-05-19 | CVE-2006-2459 | SQL Injection vulnerability in PHP Fusion PHP Fusion 6.00.306/6.00.307 SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter. | 6.4 |
| 2006-05-12 | CVE-2006-2331 | Local File Include vulnerability in PHP-Fusion Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 allow remote attackers to include and execute arbitrary local files via (1) a .. | 6.4 |
| 2006-05-12 | CVE-2006-2330 | Local File Include vulnerability in PHP-Fusion PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata. | 6.4 |
| 2006-02-08 | CVE-2006-0593 | Cross-Site Scripting vulnerability in PHP-Fusion Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php. network php-fusion | 4.3 |