CVE-2020-23184

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 9.03.60

Description A stored cross site scripting (XSS) issue exists in the /administration/settings registration.php file, allowing authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Registration field. This can be exploited by a remote attacker to execute arbitrary code using a specially crafted payload.

Recommendations For PHP-Fusion version 9.03.60, as a temporary workaround, consider disabling access to the /administration/settings registration.php file until a patch is available. Restrict access to the Registration field in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.