CVE-2020-12706

MEDIUM

PHP-Fusion 9.03.50 - XSS

Title source: llm

Description

Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php

Exploits (1)

exploitdb WORKING POC

by SunCSR · textwebappsphp

https://www.exploit-db.com/exploits/48404

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://github.com/php-fusion/PHP-Fusion/issues/2306

[Patch, Third Party Advisory] https://github.com/php-fusion/PHP-Fusion/commit/67273e546642d39451858a47296957807c9abd5f

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/48404

Scores

CVSS v3 5.4

EPSS 0.0167

EPSS Percentile 82.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

php-fusion/php-fusion 9.03.50

Published May 07, 2020

Tracked Since Feb 18, 2026