XSS Vulnerability in PHP-Fusion 9.03.50 Affects Banners Feature
CVE-2020-12438

5.4MEDIUM

Key Information:

Vendor

PHP-fusion

Status
PHP-fusion
Vendor
CVE Published:
28 April 2020

What is CVE-2020-12438?

An XSS vulnerability has been identified in the banners.php page of PHP-Fusion 9.03.50. This flaw arises from inadequate security measures, as the only protection against XSS is the removal of SCRIPT tags. Malicious actors can exploit this vulnerability by leveraging HTML event handlers, allowing them to execute JavaScript without needing SCRIPT tags. This presents significant risks to users and data integrity within PHP-Fusion implementations.

References

https://github.com/php-fusion/PHP-Fusion/commit/c36006f90...
x_refsource_MISC
https://github.com/php-fusion/PHP-Fusion/issues/2307
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.