CVE-2020-37152

MEDIUM

PHP-Fusion 9.03.50 - Cross-Site Scripting via Panel Content POST Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37152. PoCs published by hyp3rlinx.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass in Windows 'net use' command when the built-in Administrator account is enabled and passwords are reused between systems. It automates the detection and exploitation of this vulnerability by querying registry entries for prior network connections and testing for password reuse.

Description

PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site.

Exploits (1)

exploitdb WORKING POC VERIFIED

by hyp3rlinx · textlocalwindows

https://www.exploit-db.com/exploits/48299

View Code ZIP pw:eip

The exploit demonstrates an authentication bypass in Windows 'net use' command when the built-in Administrator account is enabled and passwords are reused between systems. It automates the detection and exploitation of this vulnerability by querying registry entries for prior network connections and testing for password reuse.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 10 (net use command)

No auth needed

Prerequisites: Built-in Administrator account enabled on remote system · Password reuse between originating and remote systems

MITRE ATT&CK

T1021.002 - SMB/Windows Admin Shares T1087.002 - Domain Account

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Product product

https://www.php-fusion.co.uk/

Not Applicable exploit

https://www.exploit-db.com/exploits/48299

Broken Link third-party-advisory

https://www.vulncheck.com/advisories/php-fusion-panelsphp-cross-site-scripting-xss

Scores

CVSS v3 6.1

EPSS 0.0025

EPSS Percentile 15.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

php-fusion/phpfusion 9.03.50

Published Feb 05, 2026

Tracked Since Feb 18, 2026