Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02bWgyLTk4Z3Itd3Y3Ns4AAiKB
phpBB Cross-Site Request Forgery (CSRF)
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
Permalink: https://github.com/advisories/GHSA-6mh2-98gr-wv76JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02bWgyLTk4Z3Itd3Y3Ns4AAiKB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 14 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-6mh2-98gr-wv76, CVE-2019-13376
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13376
- https://ssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss
- https://blog.phpbb.com/category/security
- https://github.com/advisories/GHSA-6mh2-98gr-wv76
Affected Packages
packagist:phpbb/phpbb
Dependent packages: 23Dependent repositories: 168
Downloads: 19,683 total
Affected Version Ranges: <= 3.2.7
Fixed in: 3.2.8
All affected versions: 3.0.12, 3.0.13, 3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7
All unaffected versions: 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11