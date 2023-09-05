Exploitation

CVE-2023-2453

An attacker authenticated with “Member”, “Administrator”, or “Super Administrator” privileges can send a crafted HTTP GET request to an endpoint in the “Forum” Infusion with a vulnerable parameter containing traversal sequences to include and execute arbitrary ‘.php’ files on the underlying operating system.

CVE-2023-4480

An attacker that can log into the admin panel of the application via either an “Administrator” or “Super Administrator” account can send HTTP requests containing directory traversal payloads to an endpoint within the “Fusion File Manager” component to either disclose the contents of files or write files from a limited subset of types to known absolute paths on the underlying server’s filesystem.