CVSS: 7.2EPSS: 59%CPEs: 2EXPL: 1CVE-2018-19274
https://notcve.org/view.php?id=CVE-2018-19274
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions. El paso de una ruta absoluta a una comprobación file_exists en phpBB en versiones anteriores a la 3.2.4 permite la ejecución remota de código mediante una inyección de objetos al emplear la deserialización Phar cuando un atacante tiene acceso al panel de control de administrador con permisos de fundador. • https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2015-3880
https://notcve.org/view.php?id=CVE-2015-3880
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors. Una vulnerabilidad de redirección abierta en phpBB en versiones anteriores a la 3.0.14 y 3.1.x anteriores a la 3.1.4 permite que los atacantes remotos redireccionen a los usuarios de Google Chrome a sitios web arbitrarios y lleven a cabo ataques de phishing mediante vectores sin especificar. • http://www.openwall.com/lists/oss-security/2015/05/12/10 http://www.securityfocus.com/bid/74592 https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04 https://wiki.phpbb.com/Release_Highlights/3.0.14 https://wiki.phpbb.com/Release_Highlights/3.1.4 https://www.phpbb.com/community/viewtopic.php?f=14&t=2313941 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 3%CPEs: 16EXPL: 1CVE-2004-1535 – phpBB 2.0.x - 'admin_cash.php' PHP Remote File Inclusion
https://notcve.org/view.php?id=CVE-2004-1535
PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code. • https://www.exploit-db.com/exploits/24751 http://marc.info/?l=bugtraq&m=110075903308817&w=2 http://marc.info/?l=bugtraq&m=110082153702843&w=2 https://exchange.xforce.ibmcloud.com/vulnerabilities/18151 •