// For flags

CVE-2013-1804

PHP-Fusion 7.02.05 - Multiple Vulnerabilities

Severity Score

5.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php.

Múltiples vulnerabilidades de XSS en PHP-Fusion anterior a 7.02.06 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del (1) parámetro highlight hacia forum/viewthread.php; o usuarios remotos autenticados con ciertos permisos inyectar script Web o HTML arbitrarios a través del (2) parámetro user_list o (3) el parámetro user_types hacia messages.php; (4) el parámetro message hacia infusions/shoutbox_panel/shoutbox_admin.php; (5) el parámetro message hacia administration/news.php; (6) el parámetro panel_list hacia administration/panel_editor.php; (7) la cadena HTTP User Agent hacia administration/phpinfo.php; (8) el parámetro "__BBCODE__" hacia administration/bbcodes.php; el parámetro errorMessage hacia (9) article_cats.php, (10) download_cats.php, (11) news_cats.php o (12) weblink_cats.php en administration/, cuando el error es 3; o (13) el parámetro body o (14) body2 hacia administration/articles.php.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2013-02-19 CVE Reserved
  • 2013-03-01 First Exploit
  • 2014-04-29 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Php-fusion
Search vendor "Php-fusion"
 Php-fusion
Search vendor "Php-fusion" for product "Php-fusion"
 <= 7.02.05
Search vendor "Php-fusion" for product "Php-fusion" and version " <= 7.02.05"
-
Affected
Php-fusion
Search vendor "Php-fusion"
 Php-fusion
Search vendor "Php-fusion" for product "Php-fusion"
 7.02.01
Search vendor "Php-fusion" for product "Php-fusion" and version "7.02.01"
-
Affected
Php-fusion
Search vendor "Php-fusion"
 Php-fusion
Search vendor "Php-fusion" for product "Php-fusion"
 7.02.02
Search vendor "Php-fusion" for product "Php-fusion" and version "7.02.02"
-
Affected
Php-fusion
Search vendor "Php-fusion"
 Php-fusion
Search vendor "Php-fusion" for product "Php-fusion"
 7.02.03
Search vendor "Php-fusion" for product "Php-fusion" and version "7.02.03"
-
Affected
Php-fusion
Search vendor "Php-fusion"
 Php-fusion
Search vendor "Php-fusion" for product "Php-fusion"
 7.02.04
Search vendor "Php-fusion" for product "Php-fusion" and version "7.02.04"
-
Affected