CVE-2023-53928 - Vulnerability Details

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Php-fusion	Phpfusion

No data.

References

Link	Providers
https://www.exploit-db.com/exploits/51411
https://www.phpfusion.com/index.php
https://www.vulncheck.com/advisories/phpfusion-stored-cross-site-scripting-via-file-manager-upload

History

Thu, 18 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Php-fusion Php-fusion phpfusion
Vendors & Products		Php-fusion Php-fusion phpfusion

Wed, 17 Dec 2025 23:00:00 +0000

Type	Values Removed	Values Added
Description		PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.
Title		PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload
Weaknesses		CWE-79
References		https://www.exploit-db.com/exploits/51411 https://www.phpfusion.com/index.php https://www.vulncheck.com/advisories/phpfusion-stored-cross-site-scripting-via-file-manager-upload
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-12-17T22:44:56.912Z

Updated: 2025-12-18T15:02:25.900Z

Reserved: 2025-12-16T19:22:09.996Z

Link: CVE-2023-53928

Vulnrichment

Updated: 2025-12-18T14:48:23.688Z

NVD

Status : Awaiting Analysis

Published: 2025-12-17T23:15:52.180

Modified: 2025-12-18T15:15:51.487

Link: CVE-2023-53928

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object