CVE-2013-1804

Name of the Vulnerable Software and Affected Versions PHP-Fusion versions prior to 7.02.06

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including the highlight parameter to "forum/viewthread.php", user list or user types parameters to "messages.php", message parameter to "infusions/shoutbox panel/shoutbox admin.php" or "administration/news.php", panel list parameter to "administration/panel editor.php", the HTTP User Agent string to "administration/phpinfo.php", the " BBCODE " parameter to "administration/bbcodes.php", errorMessage parameter to various scripts in the administration directory when the error is 3, or the body or body2 parameters to "administration/articles.php".

Recommendations For PHP-Fusion versions prior to 7.02.06, update to version 7.02.06 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters and scripts until the update can be applied. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.