Cross-site scripting in PHP-Fusion

#VU34409 Cross-site scripting in PHP-Fusion

Published: 2020-05-07 | Updated: 2020-08-08

Vulnerability identifier: #VU34409

Vulnerability risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-12706

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP-Fusion
Web applications / CMS

Vendor: PHP-Fusion

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP-Fusion: 9.03.50

External links
http://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f
http://github.com/php-fusion/PHP-Fusion/issues/2306
http://www.exploit-db.com/exploits/48404

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PHP-Fusion