CVE-2008-2227 – Forum Rank System 6 - 'settings['locale']' Multiple Local File Inclusions
https://notcve.org/view.php?id=CVE-2008-2227
Multiple directory traversal vulnerabilities in PHP-Fusion Forum Rank System 6 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the settings[locale] parameter to (1) forum.php and (2) profile.php in infusions/rank_system/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de Salto de Directorio en PHP-Fusion Forum Rank System 6 permiten a atacantes remotos incluir y ejecutar archivos locales arbitrariamente a través de un .. (punto punto) en el parámetro configuración [local] de (1) forum.php y (2) profile.php en infusions/rank_system/. • https://www.exploit-db.com/exploits/31752 http://secunia.com/advisories/30304 http://www.securityfocus.com/bid/29077 http://www.securityfocus.com/bid/29077/exploit https://exchange.xforce.ibmcloud.com/vulnerabilities/42244 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2008-1918 – PHP-Fusion 6.01.14 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2008-1918
SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected. Vulnerabilidad de inyección SQL en el archivo submit.php en PHP-Fusion versiones 6.01.14 y 6.00.307, cuando magic_quotes_gpc está deshabilitado y se conoce el prefijo de la tabla de base de datos, permite a los usuarios autenticados remotos ejecutar comandos SQL arbitrarios por medio del parámetro submit_info[] en una acción link submission. NOTA: más tarde se reportó que versión 7.00.2 también está afectada. • https://www.exploit-db.com/exploits/5470 https://www.exploit-db.com/exploits/7576 http://osvdb.org/51052 http://secunia.com/advisories/29930 http://secunia.com/advisories/33295 http://www.php-fusion.co.uk/news.php http://www.securityfocus.com/bid/28855 http://www.vupen.com/english/advisories/2008/1318/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41914 https://exchange.xforce.ibmcloud.com/vulnerabilities/47610 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-5187 – PHP-Fusion module Expanded Calendar 2.x - SQL Injection
https://notcve.org/view.php?id=CVE-2007-5187
SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter. Vulnerabilidad de inyección SQL en infusions/calendar_events_panel/show_single.php del módulo Expanded Calendar 2.x para PHP-Fusion permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro sel. • https://www.exploit-db.com/exploits/4475 http://osvdb.org/38593 http://www.securityfocus.com/bid/25876 http://www.vupen.com/english/advisories/2007/3331 https://exchange.xforce.ibmcloud.com/vulnerabilities/36904 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-3559
https://notcve.org/view.php?id=CVE-2007-3559
Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en infusions/shoutbox_panel/shoutbox_panel.php en PHP-Fusion 6.01.10 y 6.01.9, cuando los mensajes de invitados están habilitados, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del URI, relacionado con la constante FUSION_QUERY. • http://osvdb.org/36342 http://secunia.com/advisories/25907 http://www.securityfocus.com/bid/24733 http://www.xssed.com/advisory/60/PHP-FUSION_FUSION_QUERY_Cross-Site_Scripting_Vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/35225 •
CVE-2007-1978 – PHP-Fusion Module Arcade 1.0 - 'cid' SQL Injection
https://notcve.org/view.php?id=CVE-2007-1978
SQL injection vulnerability in index.php in the Arcade 1.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view_game_list action. Vulnerabilidad de inyección SQL en index.php en el módulo Arcade 1.00 para PHP-Fusion permite a atacantes remotos ejecutar comandos sql de su elección mediante el parámetro cid en una acción view_game_list. • https://www.exploit-db.com/exploits/3640 http://osvdb.org/37410 http://www.vupen.com/english/advisories/2007/1205 https://exchange.xforce.ibmcloud.com/vulnerabilities/33361 •