81 matches found
CVE-2002-1537
The CVE-2002-1537 entry concerns phpBB 2.0.0 where a local attacker can gain administrator privileges by directly calling admin_ug_auth.php with tampered form fields (e.g., u). This is a local privilege escalation affecting phpBB 2.0.0 via the admin_ug_auth.php component, due to manipulated input...
CVE-2002-2176
The CVE-2002-2176 entry concerns Gender MOD 1.1.3, where a SQL injection vulnerability in the User Profile page (via the user_level parameter) allows remote attackers to gain administrative access. The vulnerability stems from improper handling of user_level input in the profile interface, enabli...
CVE-2003-0486
The CVE covers a SQL injection in phpBB's viewtopic.php (topic_id parameter) affecting phpBB 2.0.5 and earlier. The root cause is improper handling of user-supplied topic_id, enabling an attacker to exfiltrate password hashes. Connectivity details in the provided documents indicate risk of remote...
CVE-2004-0730
PhpBB 2.0.8 is affected by multiple XSS vulnerabilities (three vectors: cat_title in index.php, faq[0][0] in lang_faq.php as accessible from faq.php, and faq[0][0] in lang_bbcode.php as accessible from faq.php). The underlying issue is unsanitized input leading to remote script/HTML injection. Re...
CVE-2004-2130
CVE-2004-2130 affects phpBB 2.0.6. The described vulnerability is multiple cross-site scripting (XSS) in privmsg.php, exploitable via the (1) folder or (2) mode parameters, allowing remote attackers to have their HTML/Script executed in a victim’s browser. The sources consistently cite XSS in php...
CVE-2005-0871
The CVE-2005-0871 entry describes a vulnerability in the Topic Calendar 1.0.1 module for phpBB. When run on Microsoft IIS, remote attackers can obtain sensitive information by supplying invalid parameters, which cause error messages to reveal the server path. The affected component is calendar_sc...
CVE-2005-1114
CVE-2005-1114 affects Photo Album 2.0.53 for phpBB; multiple SQL injection vulnerabilities exist in album_search.php that let remote attackers execute arbitrary SQL via the (1) mode or (2) search parameters. The NVD entry lists a base score of 7.5 (HIGH) with network attack vector and no authenti...
CVE-2005-4357
CVE-2005-4357 is a cross-site scripting (XSS) vulnerability in phpBB when the “Allowed HTML tags” feature is enabled. The issue allows remote attackers to inject arbitrary JavaScript via a permitted HTML tag that includes characters like " and active attributes such as onmouseover, effectively ex...
CVE-2006-2134
CVE-2006-2134 describes a PHP remote file inclusion in the Knowledge Base Mod for PHPBB 2.0.2 and earlier. The vulnerability stems from the module_root_path parameter, allowing remote attackers to execute arbitrary PHP code via a crafted URL in that parameter. Affected component is the include fi...
CVE-2006-2360
CVE-2006-2360 is an SQL injection vulnerability in the Chart Mod for phpBB, specifically in charts.php via the id parameter. Affected component is the Chart mod for phpBB; the root cause is improper input handling allowing the execution of arbitrary SQL commands by remote attackers. Documented im...
CVE-2005-0659
CVE-2005-0659 affects phpBB 2.0.13 and earlier. A direct request to oracle.php can disclose the installation path via a PHP error message, enabling remote disclosure of sensitive information. This mode provides the vulnerability description, affected software, and the underlying cause (path discl...
CVE-2005-1047
CVE-2005-1047 concerns a vulnerability in the phpBB 2.0.x up.php file upload mod. The issue is that the upload script does not properly restrict file types, allowing remote authenticated users to upload executable PHP files and subsequently access them from the uploads directory to execute arbitr...
CVE-2006-2219
Summary: CVE-2006-2219 affects phpBB 2.0.20 . The issue arises because user-supplied input variable types are not verified before being passed to type-dependent functions, enabling information disclosure via error messages. Demonstrated with the mode parameter to memberlist.php and the highlight ...
CVE-2002-0902
CVE-2002-0902 describes a cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2). An attacker can cause script execution in other phpBB users’ browsers by inserting a http:// and a double-quote (") into an IMG tag, bypassing phpBB’s security check, which terminates the src parameter of the IM...
CVE-2003-1373
The provided documents describe CVE-2003-1373 as a vulnerability in PhpBB versions 1.4.0 through 1.4.4. The issue is a directory traversal that lets remote attackers read and include arbitrary files via dot-dot sequences followed by NULL (%00) characters in CGI parameters, demonstrated for the la...
CVE-2005-3799
The CVE-2005-3799 entry concerns phpBB version 2.0.18, where a large SQL query can cause an error message that reveals SQL syntax or the full installation path, enabling information disclosure to remote attackers. Documents consistently describe this as an information-leak through error text gene...
CVE-2006-2359
XSS vulnerability CVE-2006-2359 affects the phpBB Chart mod (charts.php) via the id parameter. The issue allows remote attackers to inject arbitrary script/HTML, with the note that it may stem from SQL injection. Base metrics indicate MEDIUM risk (CVSSv2: AV=N/AC=M/Au=N/C=N/I=P/A=N, base score 4....
CVE-2004-2054
The CVE-2004-2054 issue affects phpBB versions 2.0.4 and 2.0.9, where a CRLF injection enables HTTP Response Splitting to alter server HTML content via the mode parameter in privmsg.php or the redirect parameter in login.php. OpenVAS notes additional context for phpBB
CVE-2006-0438
CVE-2006-0438 is a CSRF vulnerability in phpBB 2.0.19 where enabling Link to off-site Avatar or bbcode (IMG) allows an attacker to perform actions as a logged-in user via a link or image in a profile (e.g., admin/admin_users.php, modcp.php). The NVD entry lists a CVSSv2 base score of 5.0 (Medium)...
CVE-2006-5209
The CVE-2006-5209 entry describes a PHP remote file inclusion in Admin Topic Action Logging Mod 0.95 and earlier, used with phpBB 2.0 up to 2.0.21. The vulnerability allows remote attackers to execute arbitrary PHP code via a URL supplied to the phpbb_root_path parameter in admin/admin_topic_acti...
CVE-2006-5435
The CVE concerns PHP remote file inclusion in phpBB prior to version 2.0.11, specifically via groupcp.php. Affected software: phpBB 2.0.10 and earlier. Vulnerability: an attacker can supply a URL in the phpbb_root_path parameter, enabling remote code execution because PHP file inclusion occurs wi...
CVE-2002-0473
CVE-2002-0473 : The vulnerability affects db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier. The phpbb_root_path parameter enables remote attackers to execute arbitrary code from remote servers. This is a remote code execution issue in phpBB2 prior to the fixed version; no exploit details are pro...
CVE-2006-1895
The provided data confirms CVE-2006-1895 affecting phpBB: a direct static code injection in includes/template.php allows remote authenticated users with write access to execute arbitrary PHP by modifying templates. The root causes are (1) bypassing a loose regex intended to match BEGIN/END in ove...
CVE-2006-4450
CVE-2006-4450 affects PHPBB 2.0.20 when avatar uploading is enabled: the usercp_avatar.php avatarurl parameter is used to fetch a URL via HTTP GET, enabling an attacker to co-opt the server as a web proxy. The public description specifies the exploit path and impact as a proxy-like use, with CVSS...
CVE-2002-0475
The CVE-2002-0475 entry describes a cross-site scripting (XSS) vulnerability in phpBB versions 1.4.4 and earlier. The flaw allows remote attackers to cause arbitrary JavaScript execution on a user’s browser by embedding a script inside an IMG tag while editing a message. Affected software is phpB...
CVE-2002-0533
CVE-2002-0533 affects phpBB 1.4.4 and earlier. The vulnerability lies in how BBCode handling processes [code] tags, allowing remote attackers to trigger CPU-based DoS and corrupt the database by inserting null ASCII 0 characters. The existing records indicate the issue and affected family, but th...
CVE-2003-1244
CVE-2003-1244 affects phpBB 2.0, 2.0.1 and 2.0.2 via a SQL injection in page_header.php triggered by the forum_id parameter to index.php. The underlying issue is improper handling of the forum_id value, enabling an attacker to brute-force user passwords and potentially gain unauthorized access to...
CVE-2004-1809
The CVE-2004-1809 issue affects phpBB 2.0.6d and earlier, where an XSS vulnerability exists in the web forum files ViewTopic.php and ViewForum.php. The underlying problem is that the (1) postdays parameter in viewtopic.php or (2) topicdays parameter in viewforum.php can be manipulated to inject a...
CVE-2003-0484
CVE-2003-0484 is an XSS vulnerability in phpBB's viewtopic.php where an attacker can inject arbitrary script via the topic_id parameter. Affected: phpBB (viewtopic.php); Impact: partial confidentiality, integrity, and availability concerns at the browser level due to script execution. CVSS2 base ...
CVE-2005-0872
Topic Calendar 1.0.1 for phpBB is affected. The vulnerability is a cross-site scripting (XSS) flaw in calendar_scheduler.php that allows remote attackers to inject arbitrary web script or HTML through the start parameter. This is documented in multiple sources (OpenVAS entry “Topic Calendar XSS” ...
CVE-2006-0063
CVE-2006-0063 affects phpBB 2.0.19, where enabling “Allowed HTML tags” permits cross-site scripting by injecting arbitrary script or HTML via a permitted tag using a single quote character and active attributes such as onmouseover; this is a variant of CVE-2005-4357. The available connected docum...