CVE-2020-37137

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 9.03.50

Description The software contains a remote code execution issue in the add panel form() function. This allows attackers to execute arbitrary code through the use of an eval() function with unsanitized data received via POST requests. Exploitation occurs by sending crafted panel content parameters to the /panels.php endpoint. The /panels.php endpoint is the target of the attack. The panel content parameter is the vulnerable variable used to inject malicious code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.