Description
In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.
Remediation
References
Related Vulnerabilities
WordPress Plugin WooCommerce-Store Toolkit Privilege Escalation (1.5.7)
Oracle JRE CVE-2019-2978 Vulnerability (CVE-2019-2978)
Drupal Core 8.5.x Multiple Vulnerabilities (8.5.0 - 8.5.8)
YOURLS Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2022-0088)
Apache HTTP Server CVE-2002-0392 Vulnerability (CVE-2002-0392)