XSS Vulnerability in PHP-Fusion Media Poll Feature
CVE-2020-23754

9.6CRITICAL

Key Information:

Vendor

PHP-fusion

Status
PHPfusion
Vendor
CVE Published:
2 November 2021

What is CVE-2020-23754?

A Cross Site Scripting (XSS) vulnerability exists in the polls feature of PHP-Fusion version 9.03.50. This vulnerability allows attackers to inject arbitrary scripts into the application, potentially compromising user data and executing malicious actions when unsuspecting users interact with the affected polls. The flaw resides in the 'poll_admin.php' file under the 'infusions/member_poll_panel' directory, which lacks adequate sanitization of user inputs, leaving it open to attack. Users of PHP-Fusion are advised to upgrade to the latest version to mitigate this risk.

References

https://github.com/php-fusion/PHP-Fusion/issues/2315
x_refsource_MISC
https://user-images.githubusercontent.com/62001260/815741...
x_refsource_MISC
https://user-images.githubusercontent.com/62001260/815740...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-23754 : XSS Vulnerability in PHP-Fusion Media Poll Feature