CVE-2006-1895 — Permissive Regular Expression in Group Phpbb

CWE-625 — Permissive Regular Expression4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 41.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpbb Group Phpbb

Timeline

PublishedApr 20

Latest updateMay 1

Description

Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in overall_header.tpl, or (2) is used in an eval statement by includes/bbcode.php for bbcode.tpl.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

▶NVDphpbb_group/phpbb2.0.9

🔴Vulnerability Details

GHSA

GHSA-ghp7-3wpq-fx4r: Direct static code injection vulnerability in includes/template↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

AnnonceV News Script 1.1 - 'page' Remote File Inclusion↗2006-09-05

▶

📐Framework References

CWE

Permissive Regular Expression↗

▶