CVE-2004-1703

HIGH

Fusionphp Fusion News - CSRF

Title source: rule

Description

Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Joseph Moniz · textwebappsphp

https://www.exploit-db.com/exploits/24341

View Code ZIP pw:eip

References (4)

[Mailing List] http://marc.info/?l=bugtraq&m=109122824523226&w=2

[Broken Link, Exploit, Third Party Advisory, VDB Entry, Vendor Advisory] http://securitytracker.com/id?1010829

[Broken Link, Exploit, Third Party Advisory, VDB Entry, Vendor Advisory] http://www.securityfocus.com/bid/10836

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/16853

Scores

CVSS v3 8.8

EPSS 0.0057

EPSS Percentile 68.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-352

Status draft

Affected Products (1)

fusionphp/fusion_news

Timeline

Published Jul 30, 2004

Tracked Since Feb 18, 2026