CVE-2006-3555

Name of the Vulnerable Software and Affected Versions PHP-Fusion versions prior to 6.01.3

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved by uploading a file with a .gif or .jpg extension that begins with a GIF header followed by JavaScript code, using edit profile.php to upload an avatar or forum image attachment. The JavaScript code is executed by Internet Explorer.

Recommendations For versions prior to 6.01.3, update to version 6.01.3 or later to resolve the issue. As a temporary workaround, consider restricting the upload of image files with .gif or .jpg extensions that contain executable code.