CVSS: 9.0EPSS: 42%CPEs: 1EXPL: 2CVE-2019-12099 – PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-12099
14 May 2019 — In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload. En PHP-Fusion versión 9.03.00, el archivo edit_profile.php permite a los usuarios autenticados remotamente ejecutar código arbitrario porque includes/dynamics/includes/form_fileinput.php y includes/classes/PHPFusion/Installer/Lib/Core.settings.in... • https://www.exploit-db.com/exploits/46839 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2015-8375
https://notcve.org/view.php?id=CVE-2015-8375
25 Sep 2017 — Cross-site scripting (XSS) vulnerability in PHP-Fusion 9. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en PHP-Fusion 9. • http://cve.killedkenny.io/cve/CVE-2015-8375 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 5CVE-2014-8596 – PHP-Fusion 7.02.07 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-8596
11 Nov 2014 — Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php. Múltiples vulnerabilidades de inyección SQL en PHP-Fusion 7.02.07 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios en el parámetro submit_id en /administration/submissions.php (2) y el parámetro status en files/... • https://packetstorm.news/files/id/129053 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 5%CPEs: 5EXPL: 1CVE-2013-1803 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1803
05 May 2014 — Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with "delete_attach_" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, ... • https://www.exploit-db.com/exploits/24562 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 7%CPEs: 5EXPL: 1CVE-2013-7375 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-7375
05 May 2014 — SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803. Vulnerabilidad de inyección SQL en includes/classes/Authenticate.class.php en PHP-Fusion 7.02.01 hasta 7.02.05 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del ID de usuario en una cookie de usuario, una vulnerabilidad diferente a CVE-2013... • https://www.exploit-db.com/exploits/24562 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 19%CPEs: 5EXPL: 3CVE-2013-1806 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1806
30 Apr 2014 — Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php. Múltiples vulnerabilidades de salto de directorio en PHP-Fusion anterior a 7.02.06 permiten a usuarios remotos aute... • https://www.exploit-db.com/exploits/24562 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 23%CPEs: 5EXPL: 3CVE-2013-1807 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1807
30 Apr 2014 — PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/. PHP-Fusion anterior a 7.02.06 almacena archivos de copia de seguridad con nombres de archivo previsibles en un directorio no restringido bajo el root de documento web, lo que podría permitir a atacantes remotos obtener información sensible a t... • https://www.exploit-db.com/exploits/24562 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 11%CPEs: 5EXPL: 1CVE-2013-1804 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1804
29 Apr 2014 — Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to adm... • https://www.exploit-db.com/exploits/24562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2012-6043 – PHP-Fusion 7.2.4 - 'downloads.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6043
26 Nov 2012 — Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en downloads.php en PHP-Fusion v7.02.04 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro cat_id. • https://www.exploit-db.com/exploits/36541 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 24%CPEs: 1EXPL: 4CVE-2010-4931 – PHP-Fusion - Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-4931
09 Oct 2011 — Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party **EN DISPUTA** Vulnerabilidad de salto de directorio en maincore.php in PHP-Fusion, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección al utilizar caracteres .. (punto punto) en el parámetro folder_level. NOTA: está disputada por un tercero... • https://www.exploit-db.com/exploits/14647 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •