CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7700 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-7700
14 Aug 2020 — All versions of phpjs are vulnerable to Prototype Pollution via parse_str. Todas las versiones de phpjs, son vulnerables a una Contaminación de Prototipo por medio de la función parse_str. • https://snyk.io/vuln/SNYK-JS-PHPJS-598681 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-17450
https://notcve.org/view.php?id=CVE-2020-17450
12 Aug 2020 — PHP-Fusion 9.03 allows XSS on the preview page. PHP-Fusion versión 9.03, permite un ataque de tipo XSS en la página de vista previa • https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-17449
https://notcve.org/view.php?id=CVE-2020-17449
12 Aug 2020 — PHP-Fusion 9.03 allows XSS via the error_log file. PHP-Fusion versión 9.03, permite un ataque de tipo XSS por medio del archivo error_log • https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15041
https://notcve.org/view.php?id=CVE-2020-15041
24 Jun 2020 — PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field. PHP-Fusion versión 9.03.60, permite un ataque de tipo XSS por medio del campo Link del archivo administration/site_links.php • https://github.com/php-fusion/PHP-Fusion/issues/2330 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 2CVE-2020-14960
https://notcve.org/view.php?id=CVE-2020-14960
21 Jun 2020 — A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter, Una vulnerabilidad de inyección SQL en PHP-Fusion versión 9.03.50, afecta el endpoint administration/comments.php por medio del parámetro ctype • https://github.com/php-fusion/PHP-Fusion/commit/b3bde37f60e96f1a8ddd1439658307b28be77db5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 21%CPEs: 3EXPL: 2CVE-2019-11048 – Temporary files are not cleaned after OOM when parsing HTTP request data
https://notcve.org/view.php?id=CVE-2019-11048
20 May 2020 — In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server. En PHP versiones 7.2.x por debajo de 7.2.31, v... • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html • CWE-190: Integer Overflow or Wraparound CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12718
https://notcve.org/view.php?id=CVE-2020-12718
07 May 2020 — In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle. En el archivo administration/comments.php en PHP-Fusion versión 9.03.50, un atacante autenticado puede tomar ventaja de una vulnerabilidad de tipo XSS almacenado en la funcionalidad Preview Comment. El mecanismo de protección pueda ser omitido por medio del uso d... • https://github.com/php-fusion/PHP-Fusion/issues/2309 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 2CVE-2020-12706 – php-fusion 9.03.50 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-12706
07 May 2020 — Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php Múltiples vulnerabilidades de tipo Cross-site scripting en PHP-Fusion versión 9.03.50, permiten a atacantes remotos inyectar script web o HTML arbitrario mediante el parámetro go en el archivo faq/faq_admin.php o shoutbox_panel/shoutbox_admin.php • https://www.exploit-db.com/exploits/48404 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12708
https://notcve.org/view.php?id=CVE-2020-12708
07 May 2020 — Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043. Múltiples vulnerabilidades de tipo cross-site scripting en PHP-Fusion versión 9.03.50, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro cat_id en el archivo downloads/downloads.php o article.php. NOTA: esto podría solaparse al CVE-2... • https://github.com/php-fusion/PHP-Fusion/issues/2310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-12461
https://notcve.org/view.php?id=CVE-2020-12461
29 Apr 2020 — PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query. PHP-Fusion versión 9.03.50, permite una inyección SQL porque el archivo maincore.php posee un mecanismo de protección insuficiente. Un atacante puede desarrollar una carga útil esp... • https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •