CVE-2014-8596

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 7.02.07

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the submit id parameter in a 2 action to "files/administration/submissions.php" or the status parameter to "files/administration/members.php".

Recommendations For PHP-Fusion version 7.02.07, consider restricting access to the "files/administration/submissions.php" and "files/administration/members.php" files until a patch is available. As a temporary workaround, avoid using the submit id and status parameters in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.