Description

PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.

Remediation

References

CVE-2020-12461

Related Vulnerabilities

Drupal Core 9.2.x Security Bypass (9.2.0 - 9.2.17)

Joomla Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-23750)

Magento CVE-2020-9585 Vulnerability (CVE-2020-9585)

WordPress Plugin WP Easy Gallery 'select_gallery' Parameter Cross-Site Scripting (1.7)

Piwigo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-48007)

Severity

High

Classification

CVE-2020-12461 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities