Page 2 of 8 results (0.006 seconds)

CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 3

SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected. Vulnerabilidad de inyección SQL en el archivo submit.php en PHP-Fusion versiones 6.01.14 y 6.00.307, cuando magic_quotes_gpc está deshabilitado y se conoce el prefijo de la tabla de base de datos, permite a los usuarios autenticados remotos ejecutar comandos SQL arbitrarios por medio del parámetro submit_info[] en una acción link submission. NOTA: más tarde se reportó que versión 7.00.2 también está afectada. • https://www.exploit-db.com/exploits/5470 https://www.exploit-db.com/exploits/7576 http://osvdb.org/51052 http://secunia.com/advisories/29930 http://secunia.com/advisories/33295 http://www.php-fusion.co.uk/news.php http://www.securityfocus.com/bid/28855 http://www.vupen.com/english/advisories/2008/1318/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41914 https://exchange.xforce.ibmcloud.com/vulnerabilities/47610 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.8EPSS: 0%CPEs: 26EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en submit.php de PHP-Fusion before 6.01.3 permiten a atacantes remotos inyectar web script o HTML de su elección usando edit_profile.php para enviar imágenes adjuntas de (1) avatar o (2) forum que tienen extension .gif o .jpg, y comenzando con una cabecera GIF seguida de código JavaScript, el cual es ejecutado por Internet Explorer. • http://php-fusion.co.uk/news.php http://secunia.com/advisories/20904 http://securityreason.com/securityalert/1224 http://www.securityfocus.com/archive/1/438938/100/0/threaded http://www.securityfocus.com/bid/18787 http://www.vupen.com/english/advisories/2006/2655 https://exchange.xforce.ibmcloud.com/vulnerabilities/27537 •

CVSS: 6.4EPSS: 4%CPEs: 2EXPL: 2

SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter. • https://www.exploit-db.com/exploits/1796 http://retrogod.altervista.org/phpfusion_600306_sql.html http://secunia.com/advisories/20129 http://securityreason.com/securityalert/922 http://securitytracker.com/id?1016111 http://www.osvdb.org/25542 http://www.securityfocus.com/archive/1/434162/100/0/threaded http://www.securityfocus.com/bid/18009 http://www.vupen.com/english/advisories/2006/1839 https://exchange.xforce.ibmcloud.com/vulnerabilities/26491 •