Total
45 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-12708 | 1 Php-fusion | 1 Php-fusion | 2020-05-12 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043. | |||||
CVE-2020-12461 | 1 Php-fusion | 1 Php-fusion | 2020-05-05 | 6.5 MEDIUM | 8.8 HIGH |
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query. | |||||
CVE-2020-12438 | 1 Php-fusion | 1 Php-fusion | 2020-05-05 | 3.5 LOW | 5.4 MEDIUM |
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags. | |||||
CVE-2008-5733 | 1 Php-fusion | 2 Php-fusion, Team Impact Ti Blog System Module | 2018-10-30 | 7.5 HIGH | N/A |
SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
CVE-2009-0832 | 2 Ausimods, Php-fusion | 2 E-cart, Php-fusion | 2018-10-10 | 7.5 HIGH | N/A |
SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter. | |||||
CVE-2015-8375 | 1 Php-fusion | 1 Php-fusion | 2017-10-06 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in PHP-Fusion 9. | |||||
CVE-2014-8596 | 1 Php-fusion | 1 Php-fusion | 2017-10-02 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php. | |||||
CVE-2009-0831 | 1 Php-fusion | 2 Members Cv Module, Php-fusion | 2017-09-28 | 6.0 MEDIUM | N/A |
SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter. | |||||
CVE-2008-5074 | 1 Php-fusion | 2 Freshlinks Module, Php-fusion | 2017-09-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the linkid parameter. | |||||
CVE-2008-5196 | 1 Php-fusion | 2 Php-fusion, The Kroax Module | 2017-09-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter. | |||||
CVE-2008-5335 | 1 Php-fusion | 1 Php-fusion | 2017-09-28 | 6.8 MEDIUM | N/A |
SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459. | |||||
CVE-2008-1918 | 1 Php-fusion | 1 Php-fusion | 2017-09-28 | 6.0 MEDIUM | N/A |
SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected. | |||||
CVE-2009-4889 | 2 Basti2web, Php-fusion | 2 Book Panel, Php-fusion | 2017-09-18 | 7.5 HIGH | N/A |
SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter. | |||||
CVE-2012-6043 | 1 Php-fusion | 1 Php-fusion | 2017-08-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. | |||||
CVE-2011-0512 | 2 Jikaka, Php-fusion | 2 Teams Structure Module, Php-fusion | 2017-08-16 | 6.8 MEDIUM | N/A |
SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter. | |||||
CVE-2010-4791 | 2 Marcusg, Php-fusion | 2 Mg User Fotoalbum Panel, Php-fusion | 2017-08-16 | 7.5 HIGH | N/A |
SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter. | |||||
CVE-2008-6850 | 1 Php-fusion | 1 Php-fusion | 2017-08-16 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2008-5946 | 1 Php-fusion | 1 Php-fusion | 2017-08-07 | 7.5 HIGH | N/A |
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter. | |||||
CVE-2007-3559 | 1 Php-fusion | 1 Php-fusion | 2017-07-28 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant. | |||||
CVE-2013-7375 | 1 Php-fusion | 1 Php-fusion | 2016-12-30 | 7.5 HIGH | N/A |
SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803. |