A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other...
6.3AI Score
0.003EPSS
Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in circumstances related to a "global...
6.4AI Score
0.003EPSS
feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass intended access restrictions via unspecified attack vectors related to permission settings on a private...
6.7AI Score
0.002EPSS
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of password prompts for a private message that quotes a post in a password-protected...
6.2AI Score
0.001EPSS
6.5CVSS
6.3AI Score
0.001EPSS
4.3CVSS
4.7AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored...
6.5CVSS
6.3AI Score
0.001EPSS
7.5CVSS
7.3AI Score
0.003EPSS
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified...
6.1CVSS
6AI Score
0.003EPSS
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to bypass intended access restrictions and activate de-activated accounts via unknown...
6.6AI Score
0.003EPSS
Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() being used within...
6.4AI Score
0.003EPSS
Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-related...
6.8AI Score
0.003EPSS
Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall...
6.7AI Score
0.002EPSS
PHP remote file inclusion vulnerability in phpbb_security.php in phpBB Security 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the php_root_path...
7.6AI Score
0.015EPSS
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to "criteria for 'bad' redirection...
6.4AI Score
0.006EPSS
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to a "negative start...
6.3AI Score
0.006EPSS
Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack...
6.5AI Score
0.006EPSS
Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as an arbitrary user via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party...
6.2AI Score
0.004EPSS
phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in...
6.2AI Score
0.006EPSS
Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the original report does not...
7AI Score
0.007EPSS
SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic...
8AI Score
0.004EPSS
phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_SESSION and $HTTP_SESSION_VARS variables to strings instead of arrays, which causes an array_merge...
6.4AI Score
0.013EPSS
Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (2) forward_page parameter to login.php, and (3) list_cat parameter to search.php, which are not...
5.5AI Score
0.006EPSS
usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier into a preg_replace...
6.7AI Score
0.025EPSS
phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes phpBB to unset the GLOBALS[] variable but not the GPC...
6.3AI Score
0.033EPSS
SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly...
8AI Score
0.008EPSS
phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_*...
6.5AI Score
0.013EPSS
Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet...
5AI Score
0.823EPSS
Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url]...
5.6AI Score
0.004EPSS
phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, then modifying the "Upload Avatar from a URL:" field to reference the target...
6.2AI Score
0.002EPSS
Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect...
6.6AI Score
0.01EPSS
Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML IMG tag, and...
6.9AI Score
0.025EPSS