CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5917 – phpBB Smiley Pack acp_icons.php main cross site scripting
https://notcve.org/view.php?id=CVE-2023-5917
02 Nov 2023 — A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. • https://github.com/phpbb/phpbb/commit/ccf6e6c255d38692d72fcb613b113e6eaa240aac • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8226
https://notcve.org/view.php?id=CVE-2020-8226
17 Aug 2020 — A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. Se presenta una vulnerabilidad en phpBB versiones anteriores a v3.2.10 y versiones anteriores a v3.3.1, que permitió que la comprobación de las dimensiones de una imagen remota sea usada en un SSRF. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2562631 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-16993
https://notcve.org/view.php?id=CVE-2019-16993
30 Sep 2019 — In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them. En phpBB versiones anteriores a 3.1.7-PL1, el archivo includes/acp/acp_bbcodes.php presenta una comprobación inapropiada de un token de CSRF en la página BBCode en el Panel de Control de Administración. Un ata... • https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11767
https://notcve.org/view.php?id=CVE-2019-11767
05 May 2019 — Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload function. Server Side Request Forgery(SSRF) en phpBB versiones anteriores a la 3.2.6 permite comprobar la existencia de archivos y servicios en la red local del host a través de la función de carga remota de avatares. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9826 – phpBB 3.2.5 Denial of Service
https://notcve.org/view.php?id=CVE-2019-9826
01 May 2019 — The fulltext search component in phpBB before 3.2.6 allows Denial of Service. El componente de búsqueda de texto completo en PHP versión anterior a 3.2.6 permite una Denegación de Servicio, phpBB versions 3.2.5 and below suffer from a native full text denial of service vulnerability. • http://www.openwall.com/lists/oss-security/2019/04/29/3 • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 21%CPEs: 2EXPL: 1CVE-2018-19274
https://notcve.org/view.php?id=CVE-2018-19274
17 Nov 2018 — Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions. El paso de una ruta absoluta a una comprobación file_exists en phpBB en versiones anteriores a la 3.2.4 permite la ejecución remota de código mediante una inyección de objetos al emplear la deserialización Phar cuando un atacante tiene acceso al panel de control de adminis... • https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2015-3880
https://notcve.org/view.php?id=CVE-2015-3880
19 Sep 2017 — Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors. Una vulnerabilidad de redirección abierta en phpBB en versiones anteriores a la 3.0.14 y 3.1.x anteriores a la 3.1.4 permite que los atacantes remotos redireccionen a los usuarios de Google Chrome a sitios web arbitrarios y lleven a cabo ataques de phishing mediante vectores sin especificar. • http://www.openwall.com/lists/oss-security/2015/05/12/10 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 2%CPEs: 16EXPL: 1CVE-2004-1535 – phpBB 2.0.x - 'admin_cash.php' PHP Remote File Inclusion
https://notcve.org/view.php?id=CVE-2004-1535
31 Dec 2004 — PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code. • https://www.exploit-db.com/exploits/24751 •