CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 1CVE-2013-1804 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1804
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php. Múltiples vulnerabilidades de XSS en PHP-Fusion anterior a 7.02.06 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del (1) parámetro highlight hacia forum/viewthread.php; o usuarios remotos autenticados con ciertos permisos inyectar script Web o HTML arbitrarios a través del (2) parámetro user_list o (3) el parámetro user_types hacia messages.php; (4) el parámetro message hacia infusions/shoutbox_panel/shoutbox_admin.php; (5) el parámetro message hacia administration/news.php; (6) el parámetro panel_list hacia administration/panel_editor.php; (7) la cadena HTTP User Agent hacia administration/phpinfo.php; (8) el parámetro "__BBCODE__" hacia administration/bbcodes.php; el parámetro errorMessage hacia (9) article_cats.php, (10) download_cats.php, (11) news_cats.php o (12) weblink_cats.php en administration/, cuando el error es 3; o (13) el parámetro body o (14) body2 hacia administration/articles.php. • https://www.exploit-db.com/exploits/24562 http://osvdb.org/90707 http://osvdb.org/90708 http://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html http://seclists.org/fulldisclosure/2013/Feb/154 http://secunia.com/advisories/52403 http://www.openwall.com/lists/oss-security/2013/03/03/1 http://www.openwall.com/lists/oss-security/2013/03/03/2 http://www.php-fusion.co.uk/news.php?readmore=569 http://www.waraxe.us/advisory-97& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2012-6043 – PHP-Fusion 7.2.4 - 'downloads.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6043
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en downloads.php en PHP-Fusion v7.02.04 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro cat_id. • https://www.exploit-db.com/exploits/36541 http://packetstormsecurity.org/files/view/108542/phpfusion70204-xss.txt http://www.securityfocus.com/bid/51365 https://exchange.xforce.ibmcloud.com/vulnerabilities/72311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2008-6850
https://notcve.org/view.php?id=CVE-2008-6850
Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en messages.php de PHP-Fusion v6.01.17 and v7.00.3, permite a usuarios remotos inyectar código web y HTML a su elección a través de vectores no especificados. • http://osvdb.org/51053 http://secunia.com/advisories/33295 http://www.php-fusion.co.uk/news.php?readmore=443 http://www.securityfocus.com/bid/33058 https://exchange.xforce.ibmcloud.com/vulnerabilities/47665 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2008-5946 – PHP-Fusion 4.01 - 'readmore.php' SQL Injection
https://notcve.org/view.php?id=CVE-2008-5946
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter. Vulnerabilidad de inyección SQL en readmore.php en PHP-Fusion 4.01 permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro news_id. • https://www.exploit-db.com/exploits/32242 http://www.securityfocus.com/bid/30680 http://www.securityfocus.com/bid/30680/exploit https://exchange.xforce.ibmcloud.com/vulnerabilities/44456 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 2CVE-2008-5335 – PHP-Fusion 7.00.1 - 'messages.php' SQL Injection
https://notcve.org/view.php?id=CVE-2008-5335
SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459. Vulnerabilidad de inyección SQL en messages.php en PHP-Fusion v6.01.15 y v7.00.1, cuando magic_quotes_gpc se deshabilita, permitiría a atacantes remotos ejecutar comando SQL a su elección a traves de los parametros "subject" y "msg_send", es un vector diferente que CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, y CVE-2006-2459. • https://www.exploit-db.com/exploits/7173 http://osvdb.org/50065 http://secunia.com/advisories/32781 http://securityreason.com/securityalert/4688 http://www.php-fusion.co.uk/downloads.php?cat_id=19 http://www.php-fusion.co.uk/news.php?readmore=435 http://www.php-fusion.co.uk/news.php?readmore=436 http://www.securityfocus.com/bid/32388 http://www.vupen.com/english/advisories/2008/3248 https://exchange.xforce.ibmcloud.com/vulnerabilities/46760 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •