PHPFusion, a leading open-source content management system (CMS), has multiple vulnerabilities that could compromise countless websites, experts warn.
A report from Synopsys researchers who discovered the flaws described one of the vulnerabilities as an authenticated local file recording error, now tracked as CVE-2023-2453. If a hacker can upload a malicious PHP file to a known path on a target system, the flaw would allow them to execute arbitrary code on a remote endpoint.
The second vulnerability is a medium severity bug in the CMS that allows threat actors to read and write files to arbitrary locations. It is tracked as CVE-2023-4480. All PHPFusion versions up to and including 9.10.30 are vulnerable, the researchers said, stating that no patch is available. To make matters worse, there doesn’t seem to be any interest in fixing the flaws.
There are no patches in the pipeline
In a notification email sent to Tech Radar Pro on behalf of Synopsys, it was said that there are currently “no patches available to fix the vulnerability, nor is the team aware of any plans by the project owners to create a patch.”
Synopsys said it repeatedly tried to reach PHPFusion administrators, via email, vulnerability disclosure processes, GitHub and community forums, to no avail. In the end, the team subsequently decided to go public. PHPFusion has not yet responded to media inquiries.
The open-source CMS was built in 2003. Since then, it has taken off and built a user base of some 15 million people (according to website data). Dark Reading reports that many small and medium-sized businesses are using it to create online forums, community-driven websites, and more.
To stay safe, it would be best to disable the “Forum” infusion through the admin panel, the researchers added, knowing that in some cases this would shut down the entire website.