PHP-Fusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-12718)

Description

In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.

Remediation

References

CVE-2020-12718

Related Vulnerabilities

WordPress Plugin GEO my WordPress Unspecified Vulnerability (2.6.1.1)

SharePoint CVE-2021-1707 Vulnerability (CVE-2021-1707)

WordPress Plugin Coming soon and Maintenance mode Unspecified Vulnerability (3.5.4)

Envoy Proxy CVE-2025-30157 Vulnerability (CVE-2025-30157)

WordPress Plugin Gravity Forms Unspecified Vulnerability (2.4.17)

Severity

Medium

Classification

CVE-2020-12718 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N