CVE-2019-16993Cross-Site Request Forgery in Phpbb

CWE-352Cross-Site Request Forgery4 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 55.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PhpbbPhpbb3Debian Linux
Timeline
PublishedSep 30
Latest updateMay 24

Description

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Packagistphpbb/phpbb< 3.1.7-PL1
Ubuntuphpbb3/phpbb3< 3.0.12-1ubuntu0.1~esm1
NVDphpbb/phpbb3.1.7

Also affects: Debian Linux 8.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
phpBB Cross-Site Request Forgery (CSRF)2022-05-24
GHSA
phpBB Cross-Site Request Forgery (CSRF)2022-05-24
OSV
CVE-2019-16993: In phpBB before 32019-09-30