Shodan
Vulnerabilities
Vulnerable Software
Php-Fusion:  Security Vulnerabilities
CVE-2020-35687
PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
CVSS Score
4.3
EPSS Score
0.001
Published
2021-01-13
CVE-2020-35952
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-01-03
CVE-2020-24949
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
CVSS Score
8.8
EPSS Score
0.903
Published
2020-09-03
CVE-2020-23658
PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via infusions/member_poll_panel/poll_admin.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-08-26
CVE-2020-17449
PHP-Fusion 9.03 allows XSS via the error_log file.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-08-12
CVE-2020-17450
PHP-Fusion 9.03 allows XSS on the preview page.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-08-12
CVE-2020-15041
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-06-24
CVE-2020-14960
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
CVSS Score
7.2
EPSS Score
0.004
Published
2020-06-22
CVE-2020-12718
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-05-08
CVE-2020-12706
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
CVSS Score
5.4
EPSS Score
0.017
Published
2020-05-07


Products
Pricing
Contact Us

Shodan ® - All rights reserved