CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4480 – Arbitrary File Read in Fusion File Manager
https://notcve.org/view.php?id=CVE-2023-4480
05 Sep 2023 — Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on the system accessible within the privileges of the running process. Additionally, they may write files to arbitrary locations, provided the files pass the application’s mime-type and file extension validation. Debido a una dependencia desactualizada en el componente "Fusion File Manager" accesible a través del pan... • https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2453 – Local file Inclusion (LFI) in Forum Infusion via Directory Traversal
https://notcve.org/view.php?id=CVE-2023-2453
05 Sep 2023 — There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload. La limpieza de nombres de archivo contaminados que se concatenan directamente con una ruta que posteriormente se pasa a una ... • https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3152 – Unverified Password Change in phpfusion/phpfusion
https://notcve.org/view.php?id=CVE-2022-3152
07 Sep 2022 — Unverified Password Change in GitHub repository phpfusion/phpfusion prior to 9.10.20. Un Cambio de Contraseña no Verificado en el repositorio de GitHub phpfusion/phpfusion versiones anteriores a 9.10.20 • https://github.com/phpfusion/phpfusion/commit/57c96d4a0c00e8e1e25100087654688123c6e991 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2020-35687 – PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)
https://notcve.org/view.php?id=CVE-2020-35687
13 Jan 2021 — PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim. PHPFusion versión 9.03.90, es vulnerable a un ataque CSRF que conlleva a la eliminación de todos los mensajes de shoutbox por parte del atacante en nombre de la víctima que inició sesión. • https://www.exploit-db.com/exploits/49426 • CWE-352: Cross-Site Request Forgery (CSRF) •