Skip to main content

Php Fusion CVE-2020-17449

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-08-12 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 12, 2020 - 22:15 nvd
MEDIUM 5.4

DescriptionNVD

PHP-Fusion 9.03 allows XSS via the error_log file.

AnalysisAI

PHP-Fusion 9.03 allows XSS via the error_log file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Affected products include: Php-Fusion.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2013-1806 MEDIUM POC
6.5 Apr 30

Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include an

CVE-2020-24949 HIGH POC
8.8 Sep 03

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a cr

CVE-2020-12461 HIGH POC
8.8 Apr 29

PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. Rated high severi

CVE-2019-12099 HIGH POC
8.8 May 14

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dyn

CVE-2013-1807 MEDIUM POC
5.0 Apr 30

PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web docu

CVE-2013-7375 HIGH POC
7.5 May 05

SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remo

CVE-2013-1803 HIGH POC
7.5 May 05

Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL comm

CVE-2014-8596 HIGH POC
7.5 Nov 17

Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL c

CVE-2020-14960 HIGH POC
7.2 Jun 22

A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype param

CVE-2020-17450 MEDIUM POC
6.1 Aug 12

PHP-Fusion 9.03 allows XSS on the preview page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploit

CVE-2020-12708 MEDIUM POC
6.1 May 07

Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web scrip

CVE-2013-1804 MEDIUM POC
4.3 Apr 29

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitr

Share

CVE-2020-17449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy