CVE-2023-53928
Unknown Unknown - Not Provided
Stored XSS in PHPFusion File Manager via Malicious SVG Upload

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: VulnCheck

Description
PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2023-53928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpfusion phpfusion 9.10.30
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in PHPFusion 9.10.30's file manager. It allows attackers to upload malicious SVG files containing embedded JavaScript. When these SVG files are viewed, the embedded script executes arbitrary JavaScript code.

Impact Analysis

The vulnerability can lead to attackers stealing user session information or performing other client-side attacks by executing arbitrary JavaScript in the context of the affected application.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious SVG files uploaded to the PHPFusion file manager, specifically SVG files containing embedded JavaScript <script> tags. One way to detect this is to inspect uploaded SVG files for script tags. Additionally, monitoring HTTP POST requests to the file upload endpoint `/files/includes/elFinder/php/connector.php` with multipart/form-data encoding containing SVG files can help identify exploit attempts. For example, you can use commands like `grep -r '<script' /path/to/phpfusion/uploads/` to find SVG files with embedded scripts. Network monitoring tools can be used to detect POST requests to the vulnerable upload URL. Also, reviewing access logs for requests to `/files/administration/file_manager.php` with admin session parameters may help identify suspicious activity. [2]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling SVG file uploads in the PHPFusion file manager, especially if SVG files are not required. If SVG uploads are necessary, implement strict server-side validation and sanitization to remove any embedded JavaScript or script tags from SVG files before allowing them to be stored. Additionally, apply access controls to limit who can upload files, ensuring only trusted users with appropriate privileges can do so. Monitoring and removing any existing malicious SVG files from the server is also recommended. Finally, keep PHPFusion updated and monitor for any official patches or security updates addressing this vulnerability. [1, 2]

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in users' browsers by uploading malicious SVG files, potentially leading to theft of user session information. This could result in unauthorized access to personal data, which may violate data protection regulations such as GDPR or HIPAA by compromising confidentiality and user privacy. However, specific impacts on compliance are not detailed in the provided resources. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart