This page aggregates publicly disclosed CVE and security risk information related to php_fusion, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2007-1978 | SQL injection vulnerability in index.php in the Arcade 1.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view_game_list action. | [email protected] | 7.5 | 1.03% | 2007-04-12 | 2026-04-23 |
| CVE-2007-1845 | SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter. | [email protected] | 7.5 | 1.24% | 2007-04-03 | 2026-04-23 |
| CVE-2006-4673 | Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php. | [email protected] | 2.6 | 1.15% | 2006-09-11 | 2026-04-16 |
| CVE-2006-3555 | Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer. | [email protected] | 5.8 | 1.32% | 2006-07-13 | 2026-04-16 |
| CVE-2006-2459 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter. | [email protected] | 6.4 | 2.03% | 2006-05-19 | 2026-04-16 |
| CVE-2006-2331 | Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 allow remote attackers to include and execute arbitrary local files via (1) a .. (dot dot) in the settings[locale] parameter in infusions/last_seen_users_panel/last_seen_users_panel.php, and (2) a .. (dot dot) in the localeset parameter in setup.php. NOTE: the vendor states that this issue might exist due to problems in third party local files. | [email protected] | 6.4 | 4.36% | 2006-05-12 | 2026-04-16 |
| CVE-2006-2330 | PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata. | [email protected] | 6.4 | 7.83% | 2006-05-12 | 2026-04-16 |
| CVE-2006-0593 | Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php. | [email protected] | 4.3 | 2.09% | 2006-02-08 | 2026-04-16 |
| CVE-2005-4655 | Cross-site scripting (XSS) vulnerability in submit.php in PHP-Fusion 6.0.204 allows remote attackers to inject arbitrary web script or HTML via nested tags in the news_body parameter, as demonstrated by elements such as "<me<meta>ta" and "<sc<script>ript>". | [email protected] | 4.3 | 1.23% | 2005-12-31 | 2026-04-16 |
| CVE-2005-4517 | SQL injection vulnerability in PHP-Fusion 6.00.200 through 6.00.300 allows remote attackers to execute arbitrary SQL commands via the ratings parameter in multiple scripts, such as ratings_include.php. | [email protected] | 7.5 | 1.12% | 2005-12-28 | 2026-04-16 |
| CVE-2005-4516 | Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion 6.00.200 through 6.00.300 allow remote attackers to inject arbitrary web script or HTML via (1) the sortby parameter in members.php and (2) IMG tags. | [email protected] | 4.3 | 2.01% | 2005-12-28 | 2026-04-16 |
| CVE-2005-4005 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to obtain path information and possibly execute arbitrary SQL commands via the srch_text parameter in a Search and Sort option to messages.php. | [email protected] | 7.5 | 1.28% | 2005-12-05 | 2026-04-16 |
| CVE-2005-3740 | Multiple SQL injection vulnerabilities in PHP-Fusion 6.00.206 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the forum_id parameter to options.php or (2) lastvisited parameter to viewforum.php. | [email protected] | 7.5 | 1.57% | 2005-11-22 | 2026-04-16 |
| CVE-2005-3161 | Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php. | [email protected] | 7.5 | 1.45% | 2005-10-06 | 2026-04-16 |
| CVE-2005-3160 | Multiple SQL injection vulnerabilities in photogallery.php in PHP-Fusion allow remote attackers to execute arbitrary SQL commands via the (1) album and (2) photo parameters. | [email protected] | 7.5 | 1.11% | 2005-10-06 | 2026-04-16 |
| CVE-2005-3158 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.106 and 6.00.107 allows remote attackers to execute arbitrary SQL commands via the (1) pm_email_notify and (2) pm_save_sent parameters, a different vulnerability than CVE-2005-3157 and CVE-2005-3159. | [email protected] | 7.5 | 1.83% | 2005-10-06 | 2026-04-16 |
| CVE-2005-3157 | SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to execute arbitrary SQL commands via the msg_send parameter, a different vulnerability than CVE-2005-3158 and CVE-2005-3159. | [email protected] | 7.5 | 3.63% | 2005-10-06 | 2026-04-16 |
| CVE-2005-2783 | Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.00.107 and earlier allows remote attackers to inject arbitrary web script or HTML via nested, malformed URL BBCode tags. | [email protected] | 4.3 | 1.75% | 2005-09-02 | 2026-04-16 |
| CVE-2005-2401 | PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag. | [email protected] | 5.0 | 1.34% | 2005-07-27 | 2026-04-16 |
| CVE-2005-2075 | PHP-Fusion 5.0 and 6.0 stores the database file with a predictable filename under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to the filename in the administration/db_backups directory in PHP-Fusion 6.0 or the fusion_admin/db_backups directory in 5.0. | [email protected] | 5.0 | 6.84% | 2005-06-29 | 2026-04-16 |