35 results (0.013 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. • https://github.com/phpbb/phpbb/commit/ccf6e6c255d38692d72fcb613b113e6eaa240aac https://github.com/phpbb/phpbb/releases/tag/release-3.3.11 https://vuldb.com/?ctiid.244307 https://vuldb.com/?id.244307 https://www.phpbb.com https://www.phpbb.com/community/viewtopic.php?t=2646991 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0

A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. Se presenta una vulnerabilidad en phpBB versiones anteriores a v3.2.10 y versiones anteriores a v3.3.1, que permitió que la comprobación de las dimensiones de una imagen remota sea usada en un SSRF. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2562631 https://www.phpbb.com/community/viewtopic.php?f=14&t=2562636 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them. En phpBB versiones anteriores a 3.1.7-PL1, el archivo includes/acp/acp_bbcodes.php presenta una comprobación inapropiada de un token de CSRF en la página BBCode en el Panel de Control de Administración. Un ataque de tipo CSRF real es posible si un atacante también logra recuperar el id de sesión de un administrador reautenticado antes de que sea atacado. • https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789 https://lists.debian.org/debian-lts-announce/2019/09/msg00036.html https://lists.debian.org/debian-lts-announce/2019/10/msg00006.html https://www.phpbb.com/community/viewtopic.php?t=2352606 https://www.phpbb.com/support/documents.php?mode=changelog&version=3#v317 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload function. Server Side Request Forgery(SSRF) en phpBB versiones anteriores a la 3.2.6 permite comprobar la existencia de archivos y servicios en la red local del host a través de la función de carga remota de avatares. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

The fulltext search component in phpBB before 3.2.6 allows Denial of Service. El componente de búsqueda de texto completo en PHP versión anterior a 3.2.6 permite una Denegación de Servicio, • http://www.openwall.com/lists/oss-security/2019/04/29/3 https://lists.debian.org/debian-lts-announce/2019/05/msg00004.html https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 • CWE-20: Improper Input Validation •