4.6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:S/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
77.5%
phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows
remote authenticated administrative users to upload arbitrary files, as
demonstrated by a query to admin/admin_board.php with an avatar_path
parameter ending in .php%00.