NotCVE - vendor:"Php-fusion" product:"Php-fusion" version:"6.01.17"

7 results (0.002 seconds)

CVSS: 9.0EPSS: 42%CPEs: 1EXPL: 2

CVE-2019-12099 – PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution

https://notcve.org/view.php?id=CVE-2019-12099

14 May 2019 — In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload. En PHP-Fusion versión 9.03.00, el archivo edit_profile.php permite a los usuarios autenticados remotamente ejecutar código arbitrario porque includes/dynamics/includes/form_fileinput.php y includes/classes/PHPFusion/Installer/Lib/Core.settings.in... • https://www.exploit-db.com/exploits/46839 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 8.8EPSS: 5%CPEs: 5EXPL: 1

CVE-2013-1803 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2013-1803

05 May 2014 — Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with "delete_attach_" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, ... • https://www.exploit-db.com/exploits/24562 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.5EPSS: 19%CPEs: 5EXPL: 3

CVE-2013-1806 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2013-1806

30 Apr 2014 — Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php. Múltiples vulnerabilidades de salto de directorio en PHP-Fusion anterior a 7.02.06 permiten a usuarios remotos aute... • https://www.exploit-db.com/exploits/24562 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 23%CPEs: 5EXPL: 3

CVE-2013-1807 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2013-1807

30 Apr 2014 — PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/. PHP-Fusion anterior a 7.02.06 almacena archivos de copia de seguridad con nombres de archivo previsibles en un directorio no restringido bajo el root de documento web, lo que podría permitir a atacantes remotos obtener información sensible a t... • https://www.exploit-db.com/exploits/24562 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.4EPSS: 11%CPEs: 5EXPL: 1

CVE-2013-1804 – PHP-Fusion 7.02.05 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2013-1804

29 Apr 2014 — Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to adm... • https://www.exploit-db.com/exploits/24562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2008-6850

https://notcve.org/view.php?id=CVE-2008-6850

07 Jul 2009 — Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en messages.php de PHP-Fusion v6.01.17 and v7.00.3, permite a usuarios remotos inyectar código web y HTML a su elección a través de vectores no especificados. • http://osvdb.org/51053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2

CVE-2008-5335 – PHP-Fusion 7.00.1 - 'messages.php' SQL Injection

https://notcve.org/view.php?id=CVE-2008-5335

05 Dec 2008 — SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459. Vulnerabilidad de inyección SQL en messages.php en PHP-Fusion v6.01.15 y v7.00.1, cuando magic_quotes_gpc se deshabilita, permitiría a atacantes remotos ejecutar comando SQL a su elección a traves ... • https://www.exploit-db.com/exploits/7173 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •