CVE-2019-13376 — Cross-site Scripting in Phpbb

CWE-79 — Cross-site Scripting CWE-352 — Cross-Site Request Forgery4 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 82.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpbb Phpbb3

Timeline

PublishedSep 27

Latest updateMay 24

Description

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Packagistphpbb/phpbb< 3.2.8

▶Ubuntuphpbb3/phpbb3< 3.0.12-1ubuntu0.1~esm1

▶NVDphpbb/phpbb3.2.7

🔴Vulnerability Details

OSV

phpBB Cross-Site Request Forgery (CSRF)↗2022-05-24

▶

GHSA

phpBB Cross-Site Request Forgery (CSRF)↗2022-05-24

▶

OSV

CVE-2019-13376: phpBB version 3↗2019-09-27

▶