Cross-Site Scripting in PHPFusion by PHPFusion Team
CVE-2021-40541

6.1MEDIUM

Key Information:

Vendor

PHP-fusion

Status
PHPfusion
Vendor
CVE Published:
11 October 2021

What is CVE-2021-40541?

PHPFusion version 9.03.110 is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of preg patterns in the filter html tag within the descript() function. An authenticated user can exploit this vulnerability by appending '//' at the end of input text, which may lead to execution of arbitrary JavaScript code in the context of a user's session.

References

https://github.com/PHPFusion/PHPFusion/issues/2373
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.