CVE-2023-53928
Unknown Unknown - Not Provided

Stored XSS in PHPFusion File Manager via Malicious SVG Upload

Vulnerability report for CVE-2023-53928, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: VulnCheck

Description

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-07-06
AI Q&A
2025-12-18
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
phpfusion phpfusion 9.10.30

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for the presence of malicious SVG files uploaded to the PHPFusion file manager, specifically SVG files containing embedded JavaScript <script> tags. One way to detect this is to inspect uploaded SVG files for script tags. Additionally, monitoring HTTP POST requests to the file upload endpoint `/files/includes/elFinder/php/connector.php` with multipart/form-data encoding containing SVG files can help identify exploit attempts. For example, you can use commands like `grep -r '<script' /path/to/phpfusion/uploads/` to find SVG files with embedded scripts. Network monitoring tools can be used to detect POST requests to the vulnerable upload URL. Also, reviewing access logs for requests to `/files/administration/file_manager.php` with admin session parameters may help identify suspicious activity. [2]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling SVG file uploads in the PHPFusion file manager, especially if SVG files are not required. If SVG uploads are necessary, implement strict server-side validation and sanitization to remove any embedded JavaScript or script tags from SVG files before allowing them to be stored. Additionally, apply access controls to limit who can upload files, ensuring only trusted users with appropriate privileges can do so. Monitoring and removing any existing malicious SVG files from the server is also recommended. Finally, keep PHPFusion updated and monitor for any official patches or security updates addressing this vulnerability. [1, 2]

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in users' browsers by uploading malicious SVG files, potentially leading to theft of user session information. This could result in unauthorized access to personal data, which may violate data protection regulations such as GDPR or HIPAA by compromising confidentiality and user privacy. However, specific impacts on compliance are not detailed in the provided resources. [1, 2]

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in PHPFusion 9.10.30's file manager. It allows attackers to upload malicious SVG files containing embedded JavaScript. When these SVG files are viewed, the embedded script executes arbitrary JavaScript code.

Impact Analysis

The vulnerability can lead to attackers stealing user session information or performing other client-side attacks by executing arbitrary JavaScript in the context of the affected application.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart