CVE-2023-53928 – PHPFusion 9.10.30 contains a stored cross-site ... (How to Fix)

Q: What is the severity of CVE-2023-53928?

CVE-2023-53928 has a CVSS score of 5.4 (MEDIUM). PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in its file manager that allows attackers to upload malicious SVG files containing JavaScript. When users view these uploaded SVG files, the embedded JavaScript executes in their browsers, potentially stealing session cookies or performing other client-side attacks. This affects all PHPFusion installations running version 9.10.30.

📋 TL;DR

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in its file manager that allows attackers to upload malicious SVG files containing JavaScript. When users view these uploaded SVG files, the embedded JavaScript executes in their browsers, potentially stealing session cookies or performing other client-side attacks. This affects all PHPFusion installations running version 9.10.30.

💻 Affected Systems

Products:

PHPFusion

Versions: 9.10.30

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires file manager upload functionality to be accessible and SVG uploads to be permitted.

📦 What is this software?

Phpfusion by Php Fusion

View all CVEs affecting Phpfusion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access to the PHPFusion installation, and compromise the entire web application and server.

🟠

Likely Case

Attackers steal user session information, perform account takeovers, deface websites, or redirect users to malicious sites.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker access to upload files (typically authenticated user). Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.10.31 or later

Vendor Advisory: https://www.phpfusion.com/index.php

Restart Required: No

Instructions:

1. Backup your PHPFusion installation and database. 2. Download the latest version from phpfusion.com. 3. Replace all files with the updated version. 4. Run any database update scripts if provided. 5. Test functionality.

🔧 Temporary Workarounds

Disable SVG uploads

all

Modify file manager configuration to block SVG file uploads entirely.

Edit PHPFusion configuration to remove 'svg' from allowed file types in file manager settings.

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution in SVG files.

Add 'Content-Security-Policy: script-src 'self'' header to web server configuration.

🧯 If You Can't Patch

Implement strict file type validation to reject SVG files at the web application level.
Deploy a web application firewall (WAF) with XSS protection rules to block malicious SVG uploads.

🔍 How to Verify

Check if Vulnerable:

Check if running PHPFusion version 9.10.30 by examining the version in admin panel or checking PHPFusion files.

Check Version:

Check includes/core_functions_include.php or admin panel for version information.

Verify Fix Applied:

Verify installation is running PHPFusion 9.10.31 or later. Test SVG upload functionality to ensure proper sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads, especially with script tags in content
Multiple failed upload attempts with SVG files

Network Indicators:

HTTP POST requests uploading SVG files to file manager endpoints
Subsequent requests with stolen session cookies

SIEM Query:

source="web_server_logs" AND (uri_path="/file_manager/upload" OR file_extension=".svg")

📊 Metadata

CVE ID: CVE-2023-53928

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: December 17, 2025

Last Updated: December 31, 2025

🔗 References

https://www.exploit-db.com/exploits/51411 Exploit,Third Party Advisory
https://www.phpfusion.com/index.php Product
https://www.vulncheck.com/advisories/phpfusion-stored-cross-site-scripting-via-file-manager-upload Third Party Advisory
https://www.exploit-db.com/exploits/51411 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53928, you might also want to check these: