RSS   Vulnerabilities for 'Phpbb'   RSS

2007-03-26
 
CVE-2007-1695

CWE-Other
 

 
** DISPUTED ** PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks for a global constant and cannot be accessed directly.

 
2006-12-31
 
CVE-2006-6841

 

 
Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack vectors.

 
 
CVE-2006-6840

 

 
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to a "negative start parameter."

 
 
CVE-2006-6839

 

 
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to "criteria for 'bad' redirection targets."

 
2006-12-13
 
CVE-2006-6508

 

 
Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as an arbitrary user via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

 
2006-12-10
 
CVE-2006-6421

CWE-Other
 

 
Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user.

 
2006-10-20
 
CVE-2006-5435

CWE-Other
 

 
** DISPUTED ** PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: CVE and the vendor dispute this vulnerability because $phpbb_root_path is defined before use.

 
2006-10-10
 
CVE-2006-5209

 

 
PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

 
2006-09-13
 
CVE-2006-4758

CWE-Other
 

 
phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in .php%00.

 
2006-08-29
 
CVE-2006-4450

 

 
usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by submitting a URL to the avatarurl parameter, which is then used in an HTTP GET request.

 


Copyright 2021, cxsecurity.com

 

Back to Top