CVE-2020-23181

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 9.03.60

Description The issue is related to a reflected cross site scripting (XSS) vulnerability in the /administration/theme.php file of PHP-Fusion. This vulnerability can be exploited by authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Manage Theme field. The vulnerability exists due to insufficient protection of the web page structure.

Recommendations For PHP-Fusion version 9.03.60, consider disabling access to the /administration/theme.php file until a patch is available. Restrict access to the Manage Theme field to minimize the risk of exploitation. Avoid using the Manage Theme field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.