Lucene search

K

Phpbb Security Vulnerabilities

cve
cve

CVE-2008-1171

Multiple PHP remote file inclusion vulnerabilities in the 123 Flash Chat Module for phpBB allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) 123flashchat.php and (2) phpbb_login_chat.php. NOTE: CVE disputes this issue because $phpbb_root_path is.....

7.8AI Score

0.006EPSS

2008-03-05 11:44 PM
24
cve
cve

CVE-2006-2865

PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: followup posts have disputed this issue, stating that template.php does not appear in phpBB and does not use a $page variable. It is...

7.6AI Score

0.068EPSS

2006-06-06 08:06 PM
24
cve
cve

CVE-2007-1695

PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks for a global...

7.5AI Score

0.006EPSS

2007-03-27 01:19 AM
21
cve
cve

CVE-2006-5435

PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: CVE and the vendor dispute this vulnerability because $phpbb_root_path is defined before...

7.9AI Score

0.007EPSS

2006-10-20 11:07 PM
22
cve
cve

CVE-2023-5917

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be.....

6.1CVSS

6AI Score

0.001EPSS

2023-11-02 11:15 AM
37
cve
cve

CVE-2001-1471

prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified by the user and...

8.8CVSS

7.6AI Score

0.016EPSS

2005-04-21 04:00 AM
21
cve
cve

CVE-2006-4893

PHP remote file inclusion vulnerability in bb_usage_stats/includes/bb_usage_stats.php in phpBB XS 0.58 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter, a different vector than...

7.4AI Score

0.144EPSS

2006-09-19 10:07 PM
105
cve
cve

CVE-2006-5094

PHP remote file inclusion vulnerability in includes/functions_kb.php in the phpBB XS 2 (Spain version) allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter, a different vector than CVE-2006-4780 or...

7.4AI Score

0.144EPSS

2006-09-29 09:07 PM
21
cve
cve

CVE-2005-1047

Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files that can be uploaded, which allows remote authenticated users to execute arbitrary commands by uploading PHP files, then directly requesting them from the uploads...

7.4AI Score

0.011EPSS

2005-04-12 04:00 AM
21
cve
cve

CVE-2005-0603

viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error...

6.2AI Score

0.004EPSS

2005-03-01 05:00 AM
23
cve
cve

CVE-2018-19274

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder...

7.2CVSS

7.2AI Score

0.721EPSS

2018-11-17 01:29 PM
44
cve
cve

CVE-2002-2349

phpinfo.php in phpBBmod 1.3.3 executes the phpinfo function, which allows remote attackers to obtain sensitive environment...

6.8AI Score

0.01EPSS

2022-10-03 04:23 PM
19
cve
cve

CVE-2002-2176

SQL injection vulnerability in Gender MOD 1.1.3 allows remote attackers to gain administrative access via the user_level parameter in the User Profile...

8.3AI Score

0.002EPSS

2022-10-03 04:23 PM
22
cve
cve

CVE-2002-2346

phpBB 2.0 through 2.0.3 generates names for uploaded avatar files with the hex-encoded IP address of the client system, which allows remote attackers to obtain client IP...

7AI Score

0.002EPSS

2022-10-03 04:23 PM
19
cve
cve

CVE-2002-1894

Cross-site scripting (XSS) vulnerability in viewtopic.php in phpBB 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the highlight...

6AI Score

0.003EPSS

2022-10-03 04:23 PM
21
cve
cve

CVE-2017-1000419

phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, requesting internal content and potentially attacking such internal services via the web...

7.5CVSS

7.5AI Score

0.002EPSS

2022-10-03 04:23 PM
41
cve
cve

CVE-2005-3537

A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other...

6.3AI Score

0.003EPSS

2022-10-03 04:22 PM
24
cve
cve

CVE-2006-5610

PHP remote file inclusion vulnerability in player/includes/common.php in Teake Nutma Foing, as modified in Fully Modded phpBB (phpbbfm) 2021.4.40, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path...

7.9AI Score

0.004EPSS

2022-10-03 04:21 PM
20
cve
cve

CVE-2006-1775

Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c) groupcp.php, the (4)...

5.8AI Score

0.006EPSS

2022-10-03 04:21 PM
18
cve
cve

CVE-2010-1630

Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in circumstances related to a "global...

6.4AI Score

0.003EPSS

2022-10-03 04:21 PM
29
cve
cve

CVE-2010-1627

feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass intended access restrictions via unspecified attack vectors related to permission settings on a private...

6.7AI Score

0.002EPSS

2022-10-03 04:20 PM
26
cve
cve

CVE-2008-6507

Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of password prompts for a private message that quotes a post in a password-protected...

6.2AI Score

0.001EPSS

2022-10-03 04:13 PM
23
cve
cve

CVE-2020-8226

A vulnerability exists in...

5.8CVSS

5.4AI Score

0.001EPSS

2020-08-17 04:15 PM
35
cve
cve

CVE-2019-16108

phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through...

7.5CVSS

7.4AI Score

0.001EPSS

2020-03-20 12:17 AM
75
cve
cve

CVE-2019-16107

Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post...

4.3CVSS

5AI Score

0.001EPSS

2020-03-11 01:15 PM
41
cve
cve

CVE-2020-5502

phpBB 3.2.8 allows a CSRF attack that can approve pending group...

6.5CVSS

6.3AI Score

0.001EPSS

2020-01-15 12:15 AM
74
cve
cve

CVE-2020-5501

phpBB 3.2.8 allows a CSRF attack that can modify a group...

4.3CVSS

4.7AI Score

0.001EPSS

2020-01-15 12:15 AM
80
cve
cve

CVE-2011-0544

phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB...

6.1CVSS

6AI Score

0.001EPSS

2019-11-14 12:15 AM
30
cve
cve

CVE-2019-16993

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting...

8.8CVSS

8.4AI Score

0.006EPSS

2019-09-30 12:15 PM
95
cve
cve

CVE-2019-13376

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored...

6.5CVSS

6.3AI Score

0.001EPSS

2019-09-27 01:15 PM
36
cve
cve

CVE-2019-11767

Server side request forgery (SSRF) in phpBB before 3.2.6 allows checking for the existence of files and services on the local network of the host through the remote avatar upload...

5.8CVSS

5.9AI Score

0.001EPSS

2019-05-05 06:29 AM
33
cve
cve

CVE-2019-9826

The fulltext search component in phpBB before 3.2.6 allows Denial of...

7.5CVSS

7.3AI Score

0.003EPSS

2019-05-02 09:29 PM
74
cve
cve

CVE-2015-3880

Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified...

6.1CVSS

6AI Score

0.003EPSS

2017-09-19 03:29 PM
28
cve
cve

CVE-2015-1432

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified...

6.8AI Score

0.003EPSS

2015-02-10 05:59 PM
20
cve
cve

CVE-2015-1431

Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path...

5.7AI Score

0.003EPSS

2015-02-10 05:59 PM
16
cve
cve

CVE-2009-3052

SQL injection vulnerability in root/includes/prime_quick_style.php in the Prime Quick Style addon before 1.2.3 for phpBB 3 allows remote authenticated users to execute arbitrary SQL commands via the prime_quick_style parameter to...

8.2AI Score

0.001EPSS

2009-09-03 05:30 PM
24
cve
cve

CVE-2008-7143

phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote attackers to hijack the session via a post in the thread containing a URL to a remotely hosted image, which might include the session ID in the Referer...

6.8AI Score

0.004EPSS

2009-09-01 04:30 PM
24
cve
cve

CVE-2008-6506

Unspecified vulnerability in phpBB before 3.0.4 allows attackers to bypass intended access restrictions and activate de-activated accounts via unknown...

6.6AI Score

0.003EPSS

2009-03-23 04:30 PM
25
cve
cve

CVE-2008-6377

PHP remote file inclusion vulnerability in include/global.php in Multi SEO phpBB 1.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the pfad...

7.8AI Score

0.025EPSS

2009-03-02 07:30 PM
22
cve
cve

CVE-2008-6314

SQL injection vulnerability in tag_board.php in the Tag Board module 4.0 and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete...

8.7AI Score

0.001EPSS

2009-02-27 11:30 AM
25
cve
cve

CVE-2008-6301

SQL injection vulnerability in shoutbox_view.php in the Small ShoutBox module 1.4 for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete...

8.7AI Score

0.001EPSS

2009-02-26 04:17 PM
21
cve
cve

CVE-2008-4125

The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to obtain potentially sensitive information, as demonstrated by a cross-application attack against WordPress, a different vulnerability than...

6.3AI Score

0.01EPSS

2008-09-18 05:59 PM
20
cve
cve

CVE-2008-3224

Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() being used within...

6.4AI Score

0.003EPSS

2008-07-18 04:41 PM
22
cve
cve

CVE-2008-1766

Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-related...

6.8AI Score

0.003EPSS

2008-04-12 08:05 PM
23
cve
cve

CVE-2008-1565

Directory traversal vulnerability in forum/irc/irc.php in the PJIRC 0.5 module for phpBB allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx...

7.2AI Score

0.012EPSS

2008-03-31 10:44 PM
21
cve
cve

CVE-2008-1512

Directory traversal vulnerability in admin/admin_xs.php in eXtreme Styles module (XS-Mod) 2.3.1 and 2.4.0 for phpBB allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the phpEx parameter. NOTE: some of these details are obtained from third party...

7.3AI Score

0.012EPSS

2008-03-25 11:44 PM
19
cve
cve

CVE-2008-1350

SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article...

8.4AI Score

0.001EPSS

2008-03-17 04:44 PM
22
cve
cve

CVE-2008-1305

SQL injection vulnerability in filebase.php in the Filebase mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id...

8.4AI Score

0.001EPSS

2008-03-12 05:44 PM
20
cve
cve

CVE-2008-0471

Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall...

6.7AI Score

0.002EPSS

2008-01-29 08:00 PM
22
cve
cve

CVE-2007-6223

SQL injection vulnerability in garage.php in phpBB Garage 1.2.0 Beta3 allows remote attackers to execute arbitrary SQL commands via the make_id parameter in a search action in browse...

8.3AI Score

0.002EPSS

2007-12-04 05:46 PM
27
Total number of security vulnerabilities179