SQL Injection Vulnerability in PHP-Fusion by PHP-Fusion
CVE-2020-12461

8.8HIGH

Key Information:

Vendor

PHP-fusion

Status
PHP-fusion
Vendor
CVE Published:
29 April 2020

What is CVE-2020-12461?

PHP-Fusion version 9.03.50 is vulnerable to SQL Injection, which occurs due to inadequate protection mechanisms in the maincore.php file. An attacker can craft a specific payload to manipulate the sort_order GET parameter on the members.php search page, enabling them to modify the SQL query execution, which can lead to unauthorized data access or manipulation.

References

https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA
x_refsource_MISC
https://github.com/php-fusion/PHP-Fusion/issues/2308
x_refsource_MISC
https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.