Monday, April 28, 2025
Follow us On Linkedin
HomeCyber Security NewsPHPFusion Flaw Allows Attackers to Read Critical System Data

PHPFusion Flaw Allows Attackers to Read Critical System Data

Cyber Security NewsVulnerability Analysis

Published on

By Gurubaran
PHPFusion Flaw Allows Attackers to Read Critical System Data

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

On Tuesday, Synopsys addressed High and medium vulnerabilities CVE-2023-2453, and CVE-2023-4480 discovered in PHPFusion by the researchers.

PHPFusion is an open-source content management system (CMS) designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0. 

These vulnerabilities impact versions 9.10.30 and earlier versions of PHP fusion, which let attackers perform remote code execution attempts.

- Advertisement - Google News

No patches are available to mitigate the vulnerability; instead, it recommends its users disable the” Forum “ option to prevent the exploitation.

CVE-2023-2453

CyRC researcher Matthew Hogg discovered this high vulnerability with a base score of 8.5.

Due to insufficient sanitization of arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. 

Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system. 

There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint for exploiting this vulnerability, preventing the issue.

 If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts. 

CVE-2023-4480 

In the admin panel’s “Fusion File Manager” component, an attacker can make a forged request to read system files with the running process’s privileges due to an out-of-date dependency.  

CyRC researcher Dharani Sri Penumacha discovered this medium vulnerability with a base score of 5.2. 

Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host. 

There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Security News

Windows 11 25H2 Expected to Launch with Minor Changes

Microsoft is quietly preparing the next update to its flagship operating system, Windows 11 25H2,...
CVE/vulnerability

China Claims U.S. Cyberattack Targeted Leading Encryption Company

China has accused U.S. intelligence agencies of carrying out a sophisticated cyberattack against one...
CVE/vulnerability

Critical FastCGI Library Flaw Exposes Embedded Devices to Code Execution

A severe vulnerability (CVE-2025-23016) in the FastCGI library-a core component of lightweight web server...
cyber security

Viasat Modems Zero-Day Vulnerabilities Let Attackers Execute Remote Code

A severe zero-day vulnerability has been uncovered in multiple Viasat satellite modem models, including...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

Cyber Security News

Windows 11 25H2 Expected to Launch with Minor Changes

Microsoft is quietly preparing the next update to its flagship operating system, Windows 11 25H2,...
CVE/vulnerability

China Claims U.S. Cyberattack Targeted Leading Encryption Company

China has accused U.S. intelligence agencies of carrying out a sophisticated cyberattack against one...
CVE/vulnerability

Critical FastCGI Library Flaw Exposes Embedded Devices to Code Execution

A severe vulnerability (CVE-2025-23016) in the FastCGI library-a core component of lightweight web server...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved