Medium
PHP-Fusion is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the PHPFusion/Feedback/Comments.ajax.php script using specific parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Data Manipulation
PHP-Fusion
PHP-Fusion 9.03.60
Refer to vendor’s advisory for the list of affected products and upgraded patches.