CVE-2004-1943

CVE-2004-1943 describes a PHP remote file inclusion in album_portal.php for phpBB modified by Przemo 1.8. The vulnerability allows remote attackers to execute arbitrary PHP code by supplying a crafted phpbb_root_path parameter. The details come from NVD/CVE records; no additional exploit, mitigat...

CVE-2004-1315

Summary: CVE-2004-1315 affects phpBB 2.x prior to 2.0.11. The vulnerability stems from improper URL decoding of the highlight parameter in viewtopic.php, allowing a remote attacker to double-encode the highlight value so that PHP exec runs arbitrary code. Exploited in the wild by the Santy.A worm...

CVE-2005-2161

The CVE-2005-2161 entry covers a cross-site scripting (XSS) vulnerability in phpBB 2.0.16 that allows remote attackers to inject arbitrary script or HTML via nested [url] tags. Connected sources confirm phpBB2 exposure and the Debian security advisory DSA-768-1 (and related Debian/NVD entries) de...

CVE-2006-0632

The CVE-2006-0632 entry affects phpBB 2.0.19. The gen_rand_string function uses insufficiently random data (small value space) to generate the activation key (validation ID) sent by e-mail when establishing a password, enabling remote attackers to obtain the key and modify passwords for existing ...

CVE-2005-3418

CVE-2005-3418 affects phpBB 2.0.17 and earlier: multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web scripts via (1) error_msg in usercp_register.php, (2) forward_page in login.php, or (3) list_cat in search.php—globals not initialized as variabl...

CVE-2003-1216

CVE-2003-1216 affects phpBB 2.0.6 and earlier, due to a SQL injection in the search.php handling of the search_id parameter. The vulnerability can allow remote attackers to execute arbitrary SQL and potentially gain privileges. Public details list the affected component as search.php in phpBB pri...

CVE-2005-1193

The CVE-2005-1193 vulnerability affects phpBB up to version 2.0.14 (before 2.0.15). The bbencode_second_pass and make_clickable functions in bbcode.php fail to filter BBCode URLs, allowing remote attackers to execute arbitrary script via URL schemes such as javascript:, applet:, about:, activex:,...

CVE-2004-2350

The CVE-2004-2350 entry pertains to an SQL injection in phpBB’s search.php affecting phpBB 1.0 through 2.0.6 via the search_results parameter. The underlying vulnerability allows remote attackers to execute arbitrary SQL and potentially gain privileges, as described in the fixed-text CVE descript...

CVE-2005-2086

Summary of concrete details (CVE-2005-2086) : The phpBB viewtopic.php vulnerability is an arbitrary code execution flaw affecting phpBB 2.0.4 through 2.0.15 (inclusive). The root cause involves improper handling of the highlight parameter in viewtopic.php, enabling PHP code execution on vulnerabl...

CVE-2005-3310

The CVE-2005-3310 issue affects phpBB2 (v2.0.17) where remote authenticated users can inject arbitrary web script/HTML via HTML files with a GIF/JPEG extension when remote avatars and avatar uploads are enabled, leading to cross-site scripting on viewed pages. Root cause: interpretation errors in...

CVE-2005-3416

CVE-2005-3416 affects phpBB up to version 2.0.17 (and earlier) where, if register_globals is enabled and session handling omits a call to session_start, an attacker can bypass security checks by assigning strings to $_SESSION and $HTTP_SESSION_VARS, which causes an array_merge to fail. OpenVAS/De...

CVE-2006-0450

CVE-2006-0450 affects phpBB 2.0.19 and earlier. The vulnerability allows remote attackers to cause a denial of service (application crash) by either: (1) registering many users through profile.php, or (2) performing a specially crafted search via search.php that confuses the database. The impact ...

CVE-2003-1215

CVE-2003-1215 describes an SQL injection in phpBB’s groupcp.php affecting 2.0.6 and earlier, exploitable via the sql_in parameter. This allows group moderators to perform unauthorized activities. The vulnerability is documented across multiple sources (NVD, CVE list, and Nessus plugin), with an e...

CVE-2005-0614

Affected software/component: phpBB (versions

CVE-2005-3415

CVE-2005-3415 affects phpBB 2.0.17 and earlier, where remote attackers can bypass protection by setting a GET/POST/COOKIE variable and a GLOBALS[] variable with the same name, causing GLOBALS[] to be unset while the GPC variable remains. This can manipulate phpBB behavior. The OpenVAS and Debian ...

CVE-2006-4758

CVE-2006-4758 affects phpBB 2.0.21 where an authenticated forum administrator can upload files by crafting the avatar_path parameter ending with .php%00. The vulnerability arises in the handling of pathnames ending in %00, enabling arbitrary file uploads. Public references in Debian OpenVAS entri...

CVE-2005-3417

The issue concerns phpBB 2.0.x (2.0.17 and earlier). CVE-2005-3417 is documented as allowing remote attackers to modify global variables and bypass security when certain PHP globals behavior is altered. OpenVAS and Debian/FreeBSD advisories confirm a set of related flaws (CVE-2005-3310, 3415, 341...

CVE-2005-3419

CVE-2005-3419 is a SQL injection vulnerability in phpBB2 (phpBB 2.0.x). The Debian advisory DSA-925-1 and OpenVAS entries enumerate that phpBB2 could be affected via the signature_bbcode_uid parameter, enabling remote attackers to execute arbitrary SQL commands. The issue is listed among multiple...

CVE-2006-6841

Affected product: phpBB (2.x). The issue CVE-2006-6841 arises from forms not performing session checks, enabling CSRF-like actions by an attacker on behalf of a logged-in user. Descriptions consistently indicate unknown impact in the original note, and multiple advisories/OSS records align on thi...

CVE-2006-0437

CVE-2006-0437 describes a cross‑site scripting (XSS) vulnerability in phpBB 2.0.19, specifically in admin_smilies.php. The issue allows remote attackers to inject arbitrary web script or HTML by supplying crafted values in the smile_url or smile_emotion parameters (via Javascript events like onmo...

CVE-2006-6840

CVE-2006-6840 affects phpBB up to version 2.0.22 (and some older distributions) where a negative start parameter could lead to invalid output. The available connected sources confirm this as a remote web-app vulnerability in phpBB’s 2.0.x line with limited, unspecified impact and unknown exploita...

CVE-2004-0339

CVE-2004-0339 : A cross-site scripting (XSS) flaw exists in phpBB’s ViewTopic.php, affecting possibly 2.0.6c and earlier. The vulnerability allows an attacker to execute arbitrary script or HTML as other users via the postorder parameter. Other connected records corroborate the same description (...

CVE-2001-1472

The CVE-2001-1472 entry describes a SQL injection in phpBB 1.4.0/1.4.1 through prefs.php via the viewemail parameter. This allows remote authenticated users to execute arbitrary SQL commands and gain administrative access. Affected: phpBB 1.4.0 and 1.4.1; vulnerability originates from the handlin...

CVE-2006-1603

The CVE-2006-1603 entry concerns a Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, exploitable through the cur_password parameter in profile.php. The affected software is phpBB 2.0.19, and the vulnerability is triggered via user-supplied input that can inject arbitrary script/HTML into ...

CVE-2006-1775

CVE-2006-1775 affects phpBB 2.0.19 with multiple XSS vulnerabilities. The affected inputs are: (1) Site Description in admin_board.php, (2) Group name and (3) Group description in admin_groups.php and groupcp.php, (4) Theme Name in admin_styles.php, and (5) Rank Title in admin_ranks.php. The note...

CVE-2004-1535

The CVE-2004-1535 issue affects the Cash Mod for phpBB, where admin_cash.php is vulnerable to remote file inclusion via the phpbb_root_path parameter, allowing an attacker to instruct the server to include PHP code from a remote URL and execute arbitrary code. This results in remote code executio...

CVE-2005-0673

CVE-2005-0673 affects phpBB 2.0.13 via Cross-site scripting in usercp_register.php, enabling remote attackers to inject arbitrary HTML/JS by manipulating (1) allowhtml, (2) allowbbcode, or (3) allowsmilies in signatures associated with privmsg.php or viewtopic.php. Documented impact is limited to...

CVE-2005-3536

CVE-2005-3536 : SQL injection in phpBB 2 prior to 2.0.18 via the topic type. Multiple connected advisories (Debian DSA-925-1, OpenVAS entries) confirm the vulnerability and suggest patching phpBB2 packages; remediation involves upgrading to the fixed phpBB version per the advisories. The affected...

CVE-2005-4358

CVE-2005-4358 affects phpBB 2.0.18. The vulnerability is in admin/admin_disallow.php where a direct request with a non-empty setmodules parameter leads to an invalid append_sid function call that leaks the installation path in an error message. Impact: remote attackers can obtain the path to the ...

CVE-2006-6508

CVE-2006-6508 is a Cross-site request forgery (CSRF) affecting phpBB 2.0.21. The issue allows a remote authenticated user to perform actions (send unauthorized messages as another user) via unspecified vectors. Root cause details are not fully disclosed in the provided documents, but Debian/DSA-1...

CVE-2004-2055

The CVE-2004-2055 issue affects phpBB

CVE-2005-1196

CVE-2005-1196: SQL injection in phpBB Knowledge Base module kb.php via the cat parameter due to improper input sanitization. This allows remote attackers to modify SQL queries and potentially access sensitive data. Affected component is the Knowledge Base module for phpBB; the vulnerability is do...

CVE-2005-3420

CVE-2005-3420 affects phpBB 2.0.x (notably phpBB 2.0.17) via the signature_bbcode_uid parameter in usercp_register.php, allowing remote attackers to modify regular expressions and execute PHP code. Debian and OpenVAS advisories group this with multiple phpBB vulnerabilities; Debian fixes upgrade ...

CVE-2005-3537

CVE-2005-3537 affects phpBB 2 before 2.0.18, with a missing input/request validation flaw that enables remote attackers to edit private messages of other users by tampering with parameters or inputs. Public records in multiple feeds (NVD, Debian DSA, Red Hat, OpenVAS listings) confirm the vulnera...

CVE-2006-6839

CVE-2006-6839 affects phpBB before 2.0.22. The issue is described as an unspecified vulnerability with unknown impact and remote attack vectors related to redirection targets not being properly validated. CVSS base score listed as 10.0 (high impact). Debian/DSA-1488-1 indicates fixes: etch (stabl...

CVE-2002-1894

CVE-2002-1894 describes a Cross-site scripting (XSS) vulnerability in phpBB 2.0.3, where the highlight parameter in viewtopic.php can be exploited to inject arbitrary script/HTML. Affected component: phpBB 2.0.3, file viewtopic.php. Root cause: insufficient input handling allowing script/HTML inj...

CVE-2003-0486

The CVE covers a SQL injection in phpBB's viewtopic.php (topic_id parameter) affecting phpBB 2.0.5 and earlier. The root cause is improper handling of user-supplied topic_id, enabling an attacker to exfiltrate password hashes. Connectivity details in the provided documents indicate risk of remote...

CVE-2005-0603

The CVE-2005-0603 entry concerns phpBB up to version 2.0.12 where the viewtopic.php endpoint mishandles the highlight parameter containing invalid regular expression syntax. This causes a PHP error message that reveals the installation path, constituting a path disclosure vulnerability. Affected ...

CVE-2004-0730

PhpBB 2.0.8 is affected by multiple XSS vulnerabilities (three vectors: cat_title in index.php, faq[0][0] in lang_faq.php as accessible from faq.php, and faq[0][0] in lang_bbcode.php as accessible from faq.php). The underlying issue is unsanitized input leading to remote script/HTML injection. Re...

CVE-2004-1950

The CVE documents a vulnerability in phpBB 2.0.8a and earlier where the application trusts the IP address provided in the X-Forwarded-For HTTP header. This mis-trust lets remote attackers spoof the user’s apparent IP address. Affected software: phpBB 2.0.8a and older. Root cause: server-side code...

CVE-2005-0259

CVE-2005-0259 affects phpBB 2.0.11 (and possibly other versions) where enabling remote avatars and avatar uploading allows local users to read arbitrary files by providing both a local and remote avatar location and setting the “Upload Avatar from a URL:” field to reference the target file. Root ...

CVE-2006-1896

CVE-2006-1896 concerns a vulnerability in phpbb2 where admin users with access to the Admin Panel can cause arbitrary PHP code execution via the Font Colour 3 setting due to insufficient input sanitisation. Debian/DSA-1066-1 documents that the issue arises from how values are sanitised for Font C...

CVE-2006-2865

The CVE-2006-2865 issue concerns phpBB 2 with a remote file inclusion in template.php via the page parameter, enabling an attacker to execute arbitrary PHP code. Concrete details from connected sources confirm the affected software (phpBB 2) and the vulnerable component (template.php) with the ro...

CVE-2006-6421

CVE-2006-6421 is an XSS in phpBB 2.0.x; the private messaging (privmsg.php) feature allows remote authenticated users to inject arbitrary script/HTML via the Message body when targeting a non-existent user. Affected component: phpBB 2.0.x private messaging; root cause is user-supplied input not s...

CVE-2001-1482

CVE-2001-1482 describes an SQL injection in phpBB 1.4.2, triggered via the $sortby parameter in bb_memberlist.php. The vulnerable component is the member list generation logic, where input is not sufficiently sanitized, allowing remote attackers to execute arbitrary SQL queries. The provided docu...

CVE-2002-1707

Affected product: phpBB 2.0 (through 2.0.1). The vulnerability arises when both allow_url_fopen and register_globals are on and the attacker can modify the phpbb_root_dir to reference a URL on a remote server, enabling remote code execution. This is a remote, unauthenticated attack with impact de...

CVE-2002-2176

The CVE-2002-2176 entry concerns Gender MOD 1.1.3, where a SQL injection vulnerability in the User Profile page (via the user_level parameter) allows remote attackers to gain administrative access. The vulnerability stems from improper handling of user_level input in the profile interface, enabli...

CVE-2005-0258

CVE-2005-0258 is a directory traversal vulnerability in phpBB 2.0.11 (and possibly later versions) affecting the avatar handling paths when Gallery avatars are enabled. The issue resides in the code paths for usercp_avatar.php and usercp_register.php , where remote input can be manipulated with “...

CVE-2005-1115

CVE-2005-1115 refers to multiple XSS flaws in Photo Album 2.0.53 module for phpBB. The vulnerabilities arise when user-supplied input is not properly sanitized, allowing remote attackers to inject arbitrary script or HTML via the bsid parameter to the scripts album_cat.php and album_comment.php. ...

CVE-2005-1116

CVE-2005-1116 is a documented XSS vulnerability in the phpBB Calendar module. The issue allows remote attackers to inject arbitrary web script or HTML via the start parameter to calendar_scheduler.php. The affected component is the phpBB Calendar integration; the root cause is improper sanitizati...