cbcvebase.
CVE-2006-2330
published 2006-05-12

CVE-2006-2330: PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types…

PriorityP338medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
7.83%
93.9th percentile
PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.

Affected

11 ranges
VendorProductVersion rangeFixed in
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
php_fusionphp_fusion
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.