Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP-Fusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-12438)

Description

An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.

Remediation

References

Related Vulnerabilities

MyBB Improper Input Validation Vulnerability (CVE-2016-9420)

WordPress Plugin WP Gravity Forms Insightly Cross-Site Scripting (1.0.6)

WordPress Plugin Csv2WPeC Coupon Arbitrary File Upload (1.1)

WordPress Plugin SendGrid Security Bypass (1.11.8)

WordPress Plugin Instagram Feed Cross-Site Scripting (1.5.1)

Severity

Medium

Classification

CVE-2020-12438 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities