On Tuesday, Synopsys addressed High and medium vulnerabilities CVE-2023-2453, and CVE-2023-4480 discovered in PHPFusion by the researchers.
PHPFusion is an open-source content management system (CMS) designed for managing personal or commercial websites and is offered under the GNU Affero General Public License v3.0.
These vulnerabilities impact versions 9.10.30 and earlier versions of PHP fusion, which let attackers perform remote code execution attempts.
No patches are available to mitigate the vulnerability; instead, it recommends its users disable the” Forum “ option to prevent the exploitation.
CVE-2023-2453
CyRC researcher Matthew Hogg discovered this high vulnerability with a base score of 8.5.
Due to insufficient sanitization of arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed.
Exploitation of this vulnerability can lead to remote code execution (RCE) if an attacker can acquire some means of uploading a crafted payload file with the ‘.php’ extension to any known absolute path on the target system.
There is no patch available for this vulnerability. Disabling the “Forum” Infusion through the admin panel removes the endpoint for exploiting this vulnerability, preventing the issue.
If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.
CVE-2023-4480
In the admin panel’s “Fusion File Manager” component, an attacker can make a forged request to read system files with the running process’s privileges due to an out-of-date dependency.
CyRC researcher Dharani Sri Penumacha discovered this medium vulnerability with a base score of 5.2.
Exploitation of this vulnerability can lead to arbitrary file read and limited file write for known absolute paths on the host.
There is no patch available for this vulnerability. Technologies such as a web application firewall may help to mitigate exploitation attempts.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.