CyberSec.Space Logo
Back to CVE Browser

CVE-2019-12099

HIGH
8.8
CVSS Severity Score
EPSS Score0.0730%
EPSS Percentile41.33th
PublishedMay 14, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

Affected Platforms (CPE)

πŸ“¦
Php Fusion

Php Fusion

< 9.03.00

References & Advisories

πŸ”— https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6
πŸ”— https://www.exploit-db.com/exploits/46839
πŸ”— https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html
πŸ”— https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6
πŸ”— https://www.exploit-db.com/exploits/46839
πŸ”— https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html

Related Vulnerabilities

CVE-2010-493110.0

Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local fil...

CVE-2020-289049.8

Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installatio...

CVE-2020-237549.6

Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to ...

CVE-2020-249498.8

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted requ...

CVE-2019-12099 Detail & Impact Analysis | CVSS 8.8 (HIGH) | Cyber-Sec.Space | Cyber-Sec.Space