PT-2019-12639 · Php Fusion · Php-Fusion

Akkus

Published

2019-05-14

Updated

2020-08-24

CVE-2019-12099

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 9.03.00

Description The issue allows remote authenticated users to execute arbitrary code. This is due to the mishandling of executable files during avatar upload in the includes/dynamics/includes/form fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc files.

Recommendations For PHP-Fusion version 9.03.00, consider disabling the avatar upload feature until a patch is available to prevent the execution of arbitrary code. Restrict access to the edit profile.php file to minimize the risk of exploitation. Avoid using the vulnerable files includes/dynamics/includes/form fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-12099

Affected Products

Php-Fusion

PT-2019-12639 · Php Fusion · Php-Fusion

CVE-2019-12099

Weakness Enumeration

Related Identifiers

Affected Products

References · 5