CVE-2005-0829 in PHP-Fusioninfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/21/2025

The vulnerability identified as CVE-2005-0829 represents a critical cross-site scripting flaw within the Digitanium addon for PHP-Fusion version 5.01. This security weakness specifically affects the setuser.php script which handles user account management functions within the content management system. The vulnerability stems from insufficient input validation and output sanitization mechanisms that fail to properly filter malicious content entered by unauthorized users. The flaw exists in how the application processes user_name and user_pass parameters, creating an avenue for attackers to execute arbitrary web scripts or HTML code within the context of other users' browsers.

This XSS vulnerability operates under CWE-79 which classifies it as a weakness in input validation and output encoding. The attack vector allows remote exploitation without requiring any authentication or privileged access, making it particularly dangerous for web applications. The vulnerability is categorized as a reflected XSS issue where malicious input is immediately reflected back to users without proper sanitization. Attackers can craft specially formatted input strings containing script tags or malicious JavaScript code that gets executed when other users view the affected pages. This creates a persistent threat where compromised users' sessions may be hijacked or their browsers redirected to malicious sites.

The operational impact of this vulnerability extends beyond simple script injection as it can enable more sophisticated attacks within the ATT&CK framework under the T1059.007 technique for command and script injection. An attacker could potentially steal session cookies, redirect users to phishing sites, deface the website content, or even establish a backdoor through the compromised application. The vulnerability affects the entire user base of the PHP-Fusion installation since any user account information processed through setuser.php could become compromised. Additionally, this flaw undermines the integrity of user data and can lead to unauthorized access to sensitive information within the application's user management system.

Mitigation strategies for CVE-2005-0829 should prioritize immediate patching of the affected PHP-Fusion version and Digitanium addon to address the input validation gaps. Organizations should implement comprehensive output encoding mechanisms that sanitize all user-supplied data before rendering it in web pages. The implementation of Content Security Policy headers can provide additional protection against script execution. Input validation should be strengthened through the use of allowlists for user_name and user_pass parameters, rejecting any input containing potentially dangerous characters or script tags. Regular security audits and code reviews should be conducted to identify similar vulnerabilities in other application components. Network monitoring should be enhanced to detect suspicious patterns in user submissions that may indicate attempted XSS attacks. The vulnerability demonstrates the critical importance of maintaining up-to-date software versions and implementing defense-in-depth strategies that protect against multiple attack vectors within web applications.

Reservation

03/22/2005

Disclosure

05/02/2005

Moderation

accepted

Entry

VDB-24648

CPE

ready

Exploit

Download

EPSS

0.01685

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!