Description

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

Remediation

References

CVE-2019-12099

Related Vulnerabilities

OpenSSL Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2021-23839)

MySQL Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2005-0004)

WordPress Plugin wpForo Forum Cross-Site Scripting (2.1.8)

Apache Traffic Server Improper Access Control Vulnerability (CVE-2014-3624)

WordPress Plugin MetaSlider Cross-Site Scripting (2.6.2)

Severity

High

Classification

CVE-2019-12099 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities