31 matches found
CVE-2004-1943
CVE-2004-1943 describes a PHP remote file inclusion in album_portal.php for phpBB modified by Przemo 1.8. The vulnerability allows remote attackers to execute arbitrary PHP code by supplying a crafted phpbb_root_path parameter. The details come from NVD/CVE records; no additional exploit, mitigat...
CVE-2004-1315
Summary: CVE-2004-1315 affects phpBB 2.x prior to 2.0.11. The vulnerability stems from improper URL decoding of the highlight parameter in viewtopic.php, allowing a remote attacker to double-encode the highlight value so that PHP exec runs arbitrary code. Exploited in the wild by the Santy.A worm...
CVE-2003-1216
CVE-2003-1216 affects phpBB 2.0.6 and earlier, due to a SQL injection in the search.php handling of the search_id parameter. The vulnerability can allow remote attackers to execute arbitrary SQL and potentially gain privileges. Public details list the affected component as search.php in phpBB pri...
CVE-2005-3418
CVE-2005-3418 affects phpBB 2.0.17 and earlier: multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web scripts via (1) error_msg in usercp_register.php, (2) forward_page in login.php, or (3) list_cat in search.php—globals not initialized as variabl...
CVE-2006-0632
The CVE-2006-0632 entry affects phpBB 2.0.19. The gen_rand_string function uses insufficiently random data (small value space) to generate the activation key (validation ID) sent by e-mail when establishing a password, enabling remote attackers to obtain the key and modify passwords for existing ...
CVE-2005-3415
CVE-2005-3415 affects phpBB 2.0.17 and earlier, where remote attackers can bypass protection by setting a GET/POST/COOKIE variable and a GLOBALS[] variable with the same name, causing GLOBALS[] to be unset while the GPC variable remains. This can manipulate phpBB behavior. The OpenVAS and Debian ...
CVE-2005-1193
The CVE-2005-1193 vulnerability affects phpBB up to version 2.0.14 (before 2.0.15). The bbencode_second_pass and make_clickable functions in bbcode.php fail to filter BBCode URLs, allowing remote attackers to execute arbitrary script via URL schemes such as javascript:, applet:, about:, activex:,...
CVE-2003-1215
CVE-2003-1215 describes an SQL injection in phpBB’s groupcp.php affecting 2.0.6 and earlier, exploitable via the sql_in parameter. This allows group moderators to perform unauthorized activities. The vulnerability is documented across multiple sources (NVD, CVE list, and Nessus plugin), with an e...
CVE-2004-2350
The CVE-2004-2350 entry pertains to an SQL injection in phpBB’s search.php affecting phpBB 1.0 through 2.0.6 via the search_results parameter. The underlying vulnerability allows remote attackers to execute arbitrary SQL and potentially gain privileges, as described in the fixed-text CVE descript...
CVE-2005-0614
Affected software/component: phpBB (versions
CVE-2006-0450
CVE-2006-0450 affects phpBB 2.0.19 and earlier. The vulnerability allows remote attackers to cause a denial of service (application crash) by either: (1) registering many users through profile.php, or (2) performing a specially crafted search via search.php that confuses the database. The impact ...
CVE-2005-3416
CVE-2005-3416 affects phpBB up to version 2.0.17 (and earlier) where, if register_globals is enabled and session handling omits a call to session_start, an attacker can bypass security checks by assigning strings to $_SESSION and $HTTP_SESSION_VARS, which causes an array_merge to fail. OpenVAS/De...
CVE-2005-3417
The issue concerns phpBB 2.0.x (2.0.17 and earlier). CVE-2005-3417 is documented as allowing remote attackers to modify global variables and bypass security when certain PHP globals behavior is altered. OpenVAS and Debian/FreeBSD advisories confirm a set of related flaws (CVE-2005-3310, 3415, 341...
CVE-2005-3419
CVE-2005-3419 is a SQL injection vulnerability in phpBB2 (phpBB 2.0.x). The Debian advisory DSA-925-1 and OpenVAS entries enumerate that phpBB2 could be affected via the signature_bbcode_uid parameter, enabling remote attackers to execute arbitrary SQL commands. The issue is listed among multiple...
CVE-2005-3420
CVE-2005-3420 affects phpBB 2.0.x (notably phpBB 2.0.17) via the signature_bbcode_uid parameter in usercp_register.php, allowing remote attackers to modify regular expressions and execute PHP code. Debian and OpenVAS advisories group this with multiple phpBB vulnerabilities; Debian fixes upgrade ...
CVE-2005-3536
CVE-2005-3536 : SQL injection in phpBB 2 prior to 2.0.18 via the topic type. Multiple connected advisories (Debian DSA-925-1, OpenVAS entries) confirm the vulnerability and suggest patching phpBB2 packages; remediation involves upgrading to the fixed phpBB version per the advisories. The affected...
CVE-2004-2055
The CVE-2004-2055 issue affects phpBB
CVE-2005-3537
CVE-2005-3537 affects phpBB 2 before 2.0.18, with a missing input/request validation flaw that enables remote attackers to edit private messages of other users by tampering with parameters or inputs. Public records in multiple feeds (NVD, Debian DSA, Red Hat, OpenVAS listings) confirm the vulnera...
CVE-2006-6421
CVE-2006-6421 is an XSS in phpBB 2.0.x; the private messaging (privmsg.php) feature allows remote authenticated users to inject arbitrary script/HTML via the Message body when targeting a non-existent user. Affected component: phpBB 2.0.x private messaging; root cause is user-supplied input not s...
CVE-2005-0603
The CVE-2005-0603 entry concerns phpBB up to version 2.0.12 where the viewtopic.php endpoint mishandles the highlight parameter containing invalid regular expression syntax. This causes a PHP error message that reveals the installation path, constituting a path disclosure vulnerability. Affected ...
CVE-2005-0259
CVE-2005-0259 affects phpBB 2.0.11 (and possibly other versions) where enabling remote avatars and avatar uploading allows local users to read arbitrary files by providing both a local and remote avatar location and setting the “Upload Avatar from a URL:” field to reference the target file. Root ...
CVE-2005-0258
CVE-2005-0258 is a directory traversal vulnerability in phpBB 2.0.11 (and possibly later versions) affecting the avatar handling paths when Gallery avatars are enabled. The issue resides in the code paths for usercp_avatar.php and usercp_register.php , where remote input can be manipulated with “...
CVE-2006-2865
The CVE-2006-2865 issue concerns phpBB 2 with a remote file inclusion in template.php via the page parameter, enabling an attacker to execute arbitrary PHP code. Concrete details from connected sources confirm the affected software (phpBB 2) and the vulnerable component (template.php) with the ro...
CVE-2006-2134
CVE-2006-2134 describes a PHP remote file inclusion in the Knowledge Base Mod for PHPBB 2.0.2 and earlier. The vulnerability stems from the module_root_path parameter, allowing remote attackers to execute arbitrary PHP code via a crafted URL in that parameter. Affected component is the include fi...
CVE-2005-0659
CVE-2005-0659 affects phpBB 2.0.13 and earlier. A direct request to oracle.php can disclose the installation path via a PHP error message, enabling remote disclosure of sensitive information. This mode provides the vulnerability description, affected software, and the underlying cause (path discl...
CVE-2005-1047
CVE-2005-1047 concerns a vulnerability in the phpBB 2.0.x up.php file upload mod. The issue is that the upload script does not properly restrict file types, allowing remote authenticated users to upload executable PHP files and subsequently access them from the uploads directory to execute arbitr...
CVE-2002-0902
CVE-2002-0902 describes a cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2). An attacker can cause script execution in other phpBB users’ browsers by inserting a http:// and a double-quote (") into an IMG tag, bypassing phpBB’s security check, which terminates the src parameter of the IM...
CVE-2004-2054
The CVE-2004-2054 issue affects phpBB versions 2.0.4 and 2.0.9, where a CRLF injection enables HTTP Response Splitting to alter server HTML content via the mode parameter in privmsg.php or the redirect parameter in login.php. OpenVAS notes additional context for phpBB
CVE-2006-0438
CVE-2006-0438 is a CSRF vulnerability in phpBB 2.0.19 where enabling Link to off-site Avatar or bbcode (IMG) allows an attacker to perform actions as a logged-in user via a link or image in a profile (e.g., admin/admin_users.php, modcp.php). The NVD entry lists a CVSSv2 base score of 5.0 (Medium)...
CVE-2006-5209
The CVE-2006-5209 entry describes a PHP remote file inclusion in Admin Topic Action Logging Mod 0.95 and earlier, used with phpBB 2.0 up to 2.0.21. The vulnerability allows remote attackers to execute arbitrary PHP code via a URL supplied to the phpbb_root_path parameter in admin/admin_topic_acti...
CVE-2002-0473
CVE-2002-0473 : The vulnerability affects db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier. The phpbb_root_path parameter enables remote attackers to execute arbitrary code from remote servers. This is a remote code execution issue in phpBB2 prior to the fixed version; no exploit details are pro...