Filtered by vendor Php-fusion
Subscriptions
Total
60 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-53928 | 1 Php-fusion | 1 Phpfusion | 2025-12-18 | 5.4 Medium |
| PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks. | ||||
| CVE-2015-8375 | 1 Php-fusion | 1 Php-fusion | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in PHP-Fusion 9. | ||||
| CVE-2013-1804 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php. | ||||
| CVE-2013-1807 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | N/A |
| PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/. | ||||
| CVE-2013-1806 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | N/A |
| Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php. | ||||
| CVE-2014-8596 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | N/A |
| Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php. | ||||
| CVE-2013-7375 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | N/A |
| SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803. | ||||
| CVE-2013-1803 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | N/A |
| Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with "delete_attach_" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375. | ||||
| CVE-2010-4791 | 2 Marcusg, Php-fusion | 2 Mg User Fotoalbum Panel, Php-fusion | 2025-04-11 | N/A |
| SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter. | ||||
| CVE-2010-4931 | 1 Php-fusion | 1 Php-fusion | 2025-04-11 | N/A |
| Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party | ||||
| CVE-2012-6043 | 1 Php-fusion | 1 Php-fusion | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. | ||||
| CVE-2009-4889 | 2 Basti2web, Php-fusion | 2 Book Panel, Php-fusion | 2025-04-11 | N/A |
| SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter. | ||||
| CVE-2011-0512 | 2 Jikaka, Php-fusion | 2 Teams Structure Module, Php-fusion | 2025-04-11 | N/A |
| SQL injection vulnerability in team.php in the Teams Structure module 3.0 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the team_id parameter. | ||||
| CVE-2008-6850 | 1 Php-fusion | 1 Php-fusion | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2008-5335 | 1 Php-fusion | 1 Php-fusion | 2025-04-09 | N/A |
| SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459. | ||||
| CVE-2008-4527 | 1 Php-fusion | 1 Recepies Module | 2025-04-09 | N/A |
| SQL injection vulnerability in recept.php in the Recepies (Recept) module 1.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the kat_id parameter in a kategorier action. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2008-1918 | 1 Php-fusion | 1 Php-fusion | 2025-04-09 | N/A |
| SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected. | ||||
| CVE-2008-5196 | 1 Php-fusion | 2 Php-fusion, The Kroax Module | 2025-04-09 | N/A |
| SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter. | ||||
| CVE-2008-5197 | 1 Php-fusion | 1 Php-fusion | 2025-04-09 | N/A |
| SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action. | ||||
| CVE-2007-5187 | 1 Php-fusion | 1 Expanded Calendar Module | 2025-04-09 | N/A |
| SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter. | ||||