PHP-Fusion Multiple SQL and HTML Injection Vulnerabilities
It is reported that PHP-Fusion is susceptible to HTML and SQL injection vulnerabilities. These vulnerabilities are due to a failure of the application to properly sanitize user-supplied input data.
An attacker may leverage the SQL injection issues to manipulate SQL queries to the underlying database. This may allow the attacker access to sensitive information, such as the administrator password, to corrupt data, and to carry out other attacks.
The HTML injection vulnerabilities may allow an attacker to inject malicious HTML and script code into the vulnerable application. An unsuspecting user viewing the resulting pages will have the attacker-supplied script code executed within their browser in the context of the vulnerable web site.
These vulnerabilities are reported to exist in version 4.01 of PHP-Fusion. Other versions may also be affected.