Monday, February 10, 2025
HomeCyber Security NewsPHPFusion Flaw Allows Attackers to Read Critical System Data

PHPFusion Flaw Allows Attackers to Read Critical System Data

Published on

SIEM as a Service

Follow Us on Google News

On Tuesday, Synopsys addressed High and medium vulnerabilities CVE-2023-2453, and CVE-2023-4480 discovered in PHPFusion by the researchers.

PHPFusion is an open-source content management system (CMS) designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0. 

These vulnerabilities impact versions 9.10.30 and earlier versions of PHP fusion, which let attackers perform remote code execution attempts.

No patches are available to mitigate the vulnerability; instead, it recommends its users disable the” Forum “ option to prevent the exploitation.

CVE-2023-2453

CyRC researcher Matthew Hogg discovered this high vulnerability with a base score of 8.5.

Due to insufficient sanitization of arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. 

Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system. 

There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint for exploiting this vulnerability, preventing the issue.

 If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts. 

CVE-2023-4480 

In the admin panel’s “Fusion File Manager” component, an attacker can make a forged request to read system files with the running process’s privileges due to an out-of-date dependency.  

CyRC researcher Dharani Sri Penumacha discovered this medium vulnerability with a base score of 5.2. 

Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host. 

There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...