Shodan
Vulnerabilities
Vulnerable Software
Php-Fusion:  >> Php-Fusion  >> 9.03  Security Vulnerabilities
CVE-2020-35952
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-01-03
CVE-2020-17449
PHP-Fusion 9.03 allows XSS via the error_log file.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-08-12
CVE-2020-17450
PHP-Fusion 9.03 allows XSS on the preview page.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-08-12
CVE-2019-12099
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
CVSS Score
8.8
EPSS Score
0.429
Published
2019-05-14
CVE-2010-4791
SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter.
CVSS Score
7.5
EPSS Score
0.013
Published
2011-04-27
CVE-2011-0512
SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter.
CVSS Score
6.8
EPSS Score
0.009
Published
2011-01-20
CVE-2009-4889
SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter.
CVSS Score
7.5
EPSS Score
0.003
Published
2010-06-11
CVE-2009-3119
SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter.
CVSS Score
7.5
EPSS Score
0.004
Published
2009-09-09
CVE-2009-0831
SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter.
CVSS Score
6.0
EPSS Score
0.002
Published
2009-03-05
CVE-2009-0832
SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.
CVSS Score
7.5
EPSS Score
0.002
Published
2009-03-05


Products
Pricing
Contact Us

Shodan ® - All rights reserved