Critical Vulnerability in PHPFusion CMS Discovered

September 6, 2023 by Namorgy

No patch is available yet for the bug, which can enable remote code execution

Security researchers have discovered what they described as a critical vulnerability in the relatively widely used PHPFusion open source content management system (CMS).

The authenticated local file inclusion flaw, identified as CVE-2023-2453, allows for remote code execution if an attacker can upload a maliciously crafted “.php” file to a known path on a target system.

It is one of two vulnerabilities that researchers at Synopsys discovered recently in PHPFusion. The other flaw, tracked as CVE-2023-4480, is a moderate-severity bug in the CMS that gives attackers a way to read the contents of files on an affected system and also to write files to arbitrary locations on it.

The vulnerabilities exist in versions 9.10.30 of PHPFusion and earlier. No patch is currently available for either flaw.

https://www.darkreading.com/application-security/researchers-discover-critical-vulnerability-in-phpfusion-cms

Our Sponsor

www.Namorgy.com

Namorgy Network Solutions LLC
is dedicated to providing cost-effective IT Managed Services to small and midsize businesses that want to improve their productivity. With our comprehensive approach to Managed Services, we are your single source for all things IT, fully committed to customer service excellence. Our fast and friendly team of experts is always thinking ahead to deliver the best service possible.

Pete Groman
Namorgy Network Solutions GeekByTheWeek[TM]
pete@namorgy.com
972-454-0029

About ISpeakGeek.BIZ

Privacy and Disclosures:

Ispeakgeek .BIZ is a technology advocacy blog that is intended to help individuals and small businesses with understanding business technology. Most of the articles here are content derived from 3rd parties, including our sponsor. I speak geek .BIZ nor our sponsor makes no claims or warranties as to the veracity of the information. All content here in is provided as opinion. Your experience with these products or services may vary.

Your privacy is important to us. We do not record comments and therefore we do not require or record login information or use cookies or tracking information that could uniquely identify you. Unless you have freely given such information in a chat window, we do not have information on website visitors. Any information retained by our web host or stat counters is NOT sold or shared with any other 3rd party.

Advertisements displayed are generated by a 3rd party under their formula and control. I speak geek .BIZ does profit from their click-through, but has only loose control over subject matter categorically, and no control over detail or specific advertisers.

I speak geek .BIZ is affiliated with our sponsor: Namorgy Network Solutions LLC. Namorgy provides the hosting of the I speak geek.BIZ website. Therefore many of the articles here, though general in nature, or related to other 3rd party products, will offer contact information for Namorgy a point of contact for consulting.

Unless otherwise stated, I speak geek .BIZ is not affiliated with nor paid by any other third party or product. I do not receive cash or in-kind payment to review a product or service or for any of my endorsements.

These disclosures are posted as required by FTC ruling http://www.ftc.gov/opa/2009/10/endortest.shtm

Thank you.