QwikSec

Security Database

CVE

CWE

Training

CVE-2020-12461

Published: Apr 29, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://hackmd.io/lq7nA3ISSoeiGjiHVn5CoA

x_refsource_MISC

https://github.com/php-fusion/PHP-Fusion/issues/2308

x_refsource_MISC

https://github.com/php-fusion/PHP-Fusion/commit/858e43d7b0ea1897f76d5bcb3a1aed438132c0e2

x_refsource_MISC

https://github.com/php-fusion/PHP-Fusion/commit/d95cd4a2d22487723266c898b98e6be10754e03d

x_refsource_MISC

https://github.com/php-fusion/PHP-Fusion/commit/79fe5ec1d5c75e017a6f42127741b9543658f822

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2020-12461 - Security Vulnerability | QwikSec