CVSS: 7.5EPSS: 23%CPEs: 5EXPL: 3CVE-2013-1807 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1807
30 Apr 2014 — PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/. PHP-Fusion anterior a 7.02.06 almacena archivos de copia de seguridad con nombres de archivo previsibles en un directorio no restringido bajo el root de documento web, lo que podría permitir a atacantes remotos obtener información sensible a t... • https://www.exploit-db.com/exploits/24562 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 11%CPEs: 5EXPL: 1CVE-2013-1804 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1804
29 Apr 2014 — Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to adm... • https://www.exploit-db.com/exploits/24562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2012-6043 – PHP-Fusion 7.2.4 - 'downloads.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6043
26 Nov 2012 — Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en downloads.php en PHP-Fusion v7.02.04 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro cat_id. • https://www.exploit-db.com/exploits/36541 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 24%CPEs: 1EXPL: 4CVE-2010-4931 – PHP-Fusion - Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-4931
09 Oct 2011 — Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party **EN DISPUTA** Vulnerabilidad de salto de directorio en maincore.php in PHP-Fusion, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección al utilizar caracteres .. (punto punto) en el parámetro folder_level. NOTA: está disputada por un tercero... • https://www.exploit-db.com/exploits/14647 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 4CVE-2010-4791 – PHP-Fusion Mod Mg User Fotoalbum 1.0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2010-4791
27 Apr 2011 — SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter. Vulnerabilidad de inyección SQL en infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php del módulo MG User-Fotoalbum (mg_user_fotoalbum_panel) v1.0.1 para PHP-Fusion, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "a... • https://www.exploit-db.com/exploits/15227 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 2CVE-2011-0512 – PHP-Fusion Teams Structure Infusion Addon - SQL Injection
https://notcve.org/view.php?id=CVE-2011-0512
20 Jan 2011 — SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter. Vulnerabilidad de inyección SQL en team.php en el módulo Teams Structure v3.0 para PHP-Fusion, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro team_id • https://www.exploit-db.com/exploits/16004 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2009-4889 – PHP-Fusion Mod Book Panel - 'bookid' SQL Injection
https://notcve.org/view.php?id=CVE-2009-4889
11 Jun 2010 — SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter. Vulnerabilidad de inyección SQL en books.php en el módulo Book Panel (book_panel) de PHP-Fusion permite a los atacantes remotos ejecutar a su elección comandos SQL a través del parámetro bookid. • https://www.exploit-db.com/exploits/8186 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2009-3119 – PHP-fusion dsmsf Mod Downloads - SQL Injection
https://notcve.org/view.php?id=CVE-2009-3119
09 Sep 2009 — SQL injection vulnerability in screen.php in the Download System mSF (dsmsf) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the view_id parameter. Vulnerabilidad de inyección SQL en screen.php del módulo Download System mSF (dsmf) para PHP-Fusion, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "view_id". • https://www.exploit-db.com/exploits/12028 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2008-6850
https://notcve.org/view.php?id=CVE-2008-6850
07 Jul 2009 — Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en messages.php de PHP-Fusion v6.01.17 and v7.00.3, permite a usuarios remotos inyectar código web y HTML a su elección a través de vectores no especificados. • http://osvdb.org/51053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2009-0831 – PHP-Fusion Mod Members CV (job) 1.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2009-0831
05 Mar 2009 — SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter. Vulnerabilidad de inyección SQL en members.php en el módulo Members CV (job) v1.0 para PHP-Fusion, cuando magic_quotes_gpc no está activo, permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través del parámetro "sortby". • https://www.exploit-db.com/exploits/7697 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •