Title: "🚨 Critical Vulnerability Unearthed in PHPFusion CMS! 🚨"

Researchers have discovered a critical vulnerability in PHPFusion CMS that could allow remote code execution. No patch is available yet, making it a ticking time bomb for websites using this CMS. 🕒💣

Security researchers at Synopsys have identified two significant vulnerabilities in PHPFusion, an open-source Content Management System (CMS) used by approximately 15 million websites globally.

CVE-2023-2453: A critical authenticated local file inclusion flaw that allows for remote code execution (RCE). To exploit this, an attacker needs to:

• Authenticate to at least a low-privileged account.
• Know the vulnerable endpoint.
• Upload a malicious ".php" file to a known path on the target system.
• The impact could range from reading arbitrary files to gaining control over the vulnerable server.

CVE-2023-4480: A moderate-severity bug related to an outdated dependency in a Fusion file manager component. To exploit this, an attacker needs administrator or super administrator privileges. The vulnerability allows an attacker to:

• Read the contents of files on the affected system.
• Write files to arbitrary locations on the system.
• Both vulnerabilities affect PHPFusion versions 9.10.30 and earlier. As of now, no patches are available for either flaw. Synopsys attempted multiple channels to contact PHPFusion administrators but received no response.

The vulnerabilities pose a significant risk, especially for small and midsize businesses that commonly use PHPFusion for online forums and community-driven websites. Immediate action is advised for vulnerability management.

🔗 Source: Dark Reading by Jai Vijayan

🏷️ Tags: #PHPFusion #CMS #Vulnerability #RemoteCodeExecution #InfoSec #CyberSecurity #DarkReading