CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 3CVE-2008-1918 – PHP-Fusion 6.01.14 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2008-1918
22 Apr 2008 — SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected. Vulnerabilidad de inyección SQL en el archivo submit.php en PHP-Fusion versiones 6.01.14 y 6.00.307, cuando magic_quotes_gpc está deshabilitado y se conoce el prefijo de la ... • https://www.exploit-db.com/exploits/5470 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-6300
https://notcve.org/view.php?id=CVE-2007-6300
10 Dec 2007 — Cross-site request forgery (CSRF) vulnerability in Fusion News 3.9.0 allows remote attackers to perform unauthorized actions via unspecified vectors. Falsificación de petición en sitios cruzados (CSRF) en Fusion News 3.9.0 permite a atacantes remotos realizar acciones no autorizadas mediante vectores no especificados. • http://osvdb.org/40861 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2007-5187 – PHP-Fusion module Expanded Calendar 2.x - SQL Injection
https://notcve.org/view.php?id=CVE-2007-5187
03 Oct 2007 — SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter. Vulnerabilidad de inyección SQL en infusions/calendar_events_panel/show_single.php del módulo Expanded Calendar 2.x para PHP-Fusion permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro sel. • https://www.exploit-db.com/exploits/4475 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3559
https://notcve.org/view.php?id=CVE-2007-3559
04 Jul 2007 — Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en infusions/shoutbox_panel/shoutbox_panel.php en PHP-Fusion 6.01.10 y 6.01.9, cuando los mensajes de invitados están habilitados, permite a atacantes remotos inyectar se... • http://osvdb.org/36342 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2007-1978 – PHP-Fusion Module Arcade 1.0 - 'cid' SQL Injection
https://notcve.org/view.php?id=CVE-2007-1978
12 Apr 2007 — SQL injection vulnerability in index.php in the Arcade 1.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view_game_list action. Vulnerabilidad de inyección SQL en index.php en el módulo Arcade 1.00 para PHP-Fusion permite a atacantes remotos ejecutar comandos sql de su elección mediante el parámetro cid en una acción view_game_list. • https://www.exploit-db.com/exploits/3640 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2007-1845 – PHP-Fusion 6.1.5 Mod Calendar_Panel - 'Show_Event.php' SQL Injection
https://notcve.org/view.php?id=CVE-2007-1845
03 Apr 2007 — SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter. Vulnerabilidad de inyección SQL en el show_event.php del módulo del Calendario Extendido (calendar_panel) 2.00 para el PHP-Fusion permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro m_month. • https://www.exploit-db.com/exploits/29806 •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 3CVE-2006-4673 – PHP-Fusion 6.0.x - 'news.php' SQL Injection
https://notcve.org/view.php?id=CVE-2006-4673
11 Sep 2006 — Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php. Vulnerabilidad de sobre escritura de variable global en maincore.php en PHP-Fusion 6.01.4 y anteriores utiliza la función extract sobre super globales, lo que permite a un atacante remoto conducir a ataques de inyección SQL a través del parámetro _SERVER[REMOTE... • https://www.exploit-db.com/exploits/28496 •
CVSS: 6.1EPSS: 0%CPEs: 26EXPL: 0CVE-2006-3555
https://notcve.org/view.php?id=CVE-2006-3555
13 Jul 2006 — Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en submit.php de PHP-Fusion before 6.01.3 permiten a atacantes rem... • http://php-fusion.co.uk/news.php •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 2CVE-2006-2459 – PHP-Fusion 6.00.306 - 'srch_where' SQL Injection
https://notcve.org/view.php?id=CVE-2006-2459
19 May 2006 — SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter. • https://www.exploit-db.com/exploits/1796 •
CVSS: 8.8EPSS: 6%CPEs: 11EXPL: 2CVE-2006-2330 – PHP-Fusion 6.00.306 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2006-2330
12 May 2006 — PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata. • https://www.exploit-db.com/exploits/1760 •