Description

PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.

Remediation

References

CVE-2020-12461

Related Vulnerabilities

WordPress Plugin Responsive Notification Bar for WordPress-Apex Notification Bar Lite includes Backdoor [Only if downloaded via the vendor website] (2.0.4)

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-14820)

WordPress Plugin HUSKY-Products Filter Professional for WooCommerce Multiple Vulnerabilities (1.1.9)

Microsoft SQL Server CVE-2023-38169 Vulnerability (CVE-2023-38169)

PmWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2011-4453)

Severity

High

Classification

CVE-2020-12461 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities