Observable response discrepancy in PHP-Fusion

#VU49212 Observable response discrepancy in PHP-Fusion

Published: 2021-01-03 | Updated: 2021-01-03

Vulnerability identifier: #VU49212

Vulnerability risk: Low

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-35952

CWE-ID: CWE-204

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP-Fusion
Web applications / CMS

Vendor: PHP-Fusion

Description

The vulnerability allows a remote attacker to obtain sensitive information.

The vulnerability exists due to PHP-Fusion generates error messages that distinguish between incorrect username and incorrect password. A remote attacker can enumerate existing user accounts.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

PHP-Fusion: 9.0 - 9.03.90

External links
http://github.com/PHPFusion/PHPFusion/issues/2346

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in PHP-Fusion