7 results (0.004 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. • https://github.com/phpbb/phpbb/commit/ccf6e6c255d38692d72fcb613b113e6eaa240aac https://github.com/phpbb/phpbb/releases/tag/release-3.3.11 https://vuldb.com/?ctiid.244307 https://vuldb.com/?id.244307 https://www.phpbb.com https://www.phpbb.com/community/viewtopic.php?t=2646991 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0

A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. Se presenta una vulnerabilidad en phpBB versiones anteriores a v3.2.10 y versiones anteriores a v3.3.1, que permitió que la comprobación de las dimensiones de una imagen remota sea usada en un SSRF. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2562631 https://www.phpbb.com/community/viewtopic.php?f=14&t=2562636 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload function. Server Side Request Forgery(SSRF) en phpBB versiones anteriores a la 3.2.6 permite comprobar la existencia de archivos y servicios en la red local del host a través de la función de carga remota de avatares. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

The fulltext search component in phpBB before 3.2.6 allows Denial of Service. El componente de búsqueda de texto completo en PHP versión anterior a 3.2.6 permite una Denegación de Servicio, • http://www.openwall.com/lists/oss-security/2019/04/29/3 https://lists.debian.org/debian-lts-announce/2019/05/msg00004.html https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 • CWE-20: Improper Input Validation •

CVSS: 7.2EPSS: 51%CPEs: 2EXPL: 1

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions. El paso de una ruta absoluta a una comprobación file_exists en phpBB en versiones anteriores a la 3.2.4 permite la ejecución remota de código mediante una inyección de objetos al emplear la deserialización Phar cuando un atacante tiene acceso al panel de control de administrador con permisos de fundador. • https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •