CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-12099

HIGH
8.8
CVSS Severity Score
EPSS Score0.0730%
EPSS Percentile41.33th
Published2019年5月14日
Last Modified2024年11月21日

Vulnerability Description

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

Affected Platforms (CPE)

📦
Php Fusion

Php Fusion

< 9.03.00

References & Advisories

🔗 https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6
🔗 https://www.exploit-db.com/exploits/46839
🔗 https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html
🔗 https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6
🔗 https://www.exploit-db.com/exploits/46839
🔗 https://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html

相關漏洞威脅

CVE-2010-493110.0

Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local fil...

CVE-2020-289049.8

Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installatio...

CVE-2020-237549.6

Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to ...

CVE-2020-249498.8

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted requ...