CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3172
https://notcve.org/view.php?id=CVE-2021-3172
17 Feb 2023 — An issue in Php-Fusion v9.03.90 fixed in v9.10.00 allows authenticated attackers to cause a Distributed Denial of Service via the Polling feature. • https://github.com/PHPFusion/PHPFusion/commit/7b8df6925cc7cfd8585d4f34d9120ff3a2e5753e • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41996 – WordPress Avada premium theme <= 7.8.1 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-41996
21 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el tema premium del ThemeFusion Avada en versiones <= 7.8.1 en WordPress, lo que provoca la instalación/activación arbitraria de complementos. The Avada theme for WordPress is vulnerable to Cross-Site Request forgery in versions up to, and including, 7.8.1 in class-avada-admin.php. This... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-premium-theme-7-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3152 – Unverified Password Change in phpfusion/phpfusion
https://notcve.org/view.php?id=CVE-2022-3152
07 Sep 2022 — Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20. Un Cambio de Contraseña no Verificado en el repositorio de GitHub phpfusion/phpfusion versiones anteriores a 9.10.20 • https://github.com/phpfusion/phpfusion/commit/57c96d4a0c00e8e1e25100087654688123c6e991 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 9.8EPSS: 93%CPEs: 2EXPL: 7CVE-2022-1386 – Fusion Builder < 3.6.2 - Unauthenticated SSRF
https://notcve.org/view.php?id=CVE-2022-1386
19 Apr 2022 — The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures. El plugin Fusion Builder de WordPress versiones anteriores a 3.6.2, usado en el tema Avada, no comprueba un parámetro en sus formularios que pod... • https://github.com/ardzz/CVE-2022-1386 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-8597
https://notcve.org/view.php?id=CVE-2014-8597
17 Feb 2022 — A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel. Una vulnerabilidad de tipo cross-site scripting (XSS) reflejada en PHP-Fusion versión 7.02.07, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro status en el panel de administración del CMS • https://www.xlabs.com.br/blog/cve-2014-8597-php-fusion-xss-injection-reflected • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2020-23754
https://notcve.org/view.php?id=CVE-2020-23754
02 Nov 2021 — Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls feature. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en el archivo infusions/member_poll_panel/poll_admin.php en PHP-Fusion 9.03.50, permite a atacantes ejecutar código arbitrario, por medio de la funcionalidad polls • https://github.com/php-fusion/PHP-Fusion/issues/2315 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40188
https://notcve.org/view.php?id=CVE-2021-40188
11 Oct 2021 — PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the server. PHPFusion versión 9.03.110, está afectado por una vulnerabilidad de carga de archivos arbitraria. La función File Manager en el panel de administración no filtra todas las extensiones de PHP como ".php, .php7, .phtml, .php5, ...". • https://github.com/PHPFusion/PHPFusion/issues/2372 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 1CVE-2021-40189
https://notcve.org/view.php?id=CVE-2021-40189
11 Oct 2021 — PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary code. PHPFusion versión 9.03.110, está afectado por una vulnerabilidad de ejecución de código remota . La función theme extrae un archivo a "webroot/themes/{Theme Folder], donde un atacante puede acceder y ejecutar código arbitrario • https://github.com/PHPFusion/PHPFusion/issues/2374 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40541
https://notcve.org/view.php?id=CVE-2021-40541
11 Oct 2021 — PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text. PHPFusion versión 9.03.110, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) en la etiqueta html preg patterns filter sin "//" en la función descript() Un usuario autenticado puede desencadenar un ataque de tipo XSS añadiendo "//" al final del texto • https://github.com/PHPFusion/PHPFusion/issues/2373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-23702
https://notcve.org/view.php?id=CVE-2020-23702
07 Jul 2021 — Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via 'New Shout' in /infusions/shoutbox_panel/shoutbox_admin.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en PHP-Fusion versión 9.03.60, por medio de "New Shout" en el archivo /infusions/shoutbox_panel/shoutbox_admin.php • https://github.com/phpfusion/PHPFusion/issues/2328 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •