Phpbb Group Phpbb vulnerabilities
75 known vulnerabilities affecting phpbb_group/phpbb.
Total CVEs
75
CISA KEV
0
Public exploits
20
Exploited in wild
1
Severity breakdown
CRITICAL7HIGH22MEDIUM44LOW2
Vulnerabilities
Page 1 of 4
CVE-2004-1315P2HIGHCVSS 7.5ExploitedPoCv1.0.0v1.0.1+26 more2004-11-12
CVE-2004-1315 [HIGH] CVE-2004-1315: viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extract
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.
nvd
CVE-2005-2086P2HIGHCVSS 7.5PoCv2.0.152005-07-05
CVE-2005-2086 [HIGH] CVE-2005-2086: PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote a
PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.
nvd
CVE-2005-0614P3HIGHCVSS 7.5PoCv1.0.0v1.2.0+27 more2005-05-02
CVE-2005-0614 [HIGH] CVE-2005-0614: sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges vi
sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a cookie.
nvd
CVE-2005-1193P3HIGHCVSS 7.5PoCv2.0.0v2.0.1+22 more2005-05-16
CVE-2005-1193 [HIGH] CVE-2005-1193: The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used
The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4) activex:, (5) chrome:, or (6) script: URI scheme, as demonstrated using the URL tag.
nvd
CVE-2006-2134P3MEDIUMCVSS 5.1PoC≤ 2.0.2v1.0.0+14 more2006-05-02
CVE-2006-2134 [MEDIUM] CVE-2006-2134: PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPb
PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.
nvd
CVE-2006-5209P3HIGHCVSS 7.5PoCv2.0v2.0.1+29 more2006-10-10
CVE-2006-5209 [HIGH] CVE-2006-5209: PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Actio
PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
nvd
CVE-2004-1535P3HIGHCVSS 7.5PoCv2.0.0v2.0.1+14 more2004-12-31
CVE-2004-1535 [HIGH] CVE-2004-1535: PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows r
PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.
nvd
CVE-2002-2176P3CRITICALCVSS 10.0PoCv2.0.0v2.0.12002-12-31
CVE-2002-2176 [CRITICAL] CVE-2002-2176: SQL injection vulnerability in Gender MOD 1.1.3 allows remote attackers to gain administrative acces
SQL injection vulnerability in Gender MOD 1.1.3 allows remote attackers to gain administrative access via the user_level parameter in the User Profile page.
nvd
CVE-2003-1216P3HIGHCVSS 7.5PoCv1.0.0v1.2.0+17 more2003-11-27
CVE-2003-1216 [HIGH] CVE-2003-1216: SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to exe
SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter.
nvd
CVE-2004-1943P3HIGHCVSS 7.5PoCv2.0.0v2.0.1+16 more2004-04-19
CVE-2004-1943 [HIGH] CVE-2004-1943: PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows r
PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter.
nvd
CVE-2006-2865P3HIGHCVSS 7.5PoCv2.0v2.0.1+28 more2006-06-06
CVE-2006-2865 [HIGH] CVE-2006-2865: PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execut
PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: followup posts have disputed this issue, stating that template.php does not appear in phpBB and does not use a $page variable. It is possible that this is a site-specific vulnerability, or an issue in a
nvd
CVE-2004-2350P3HIGHCVSS 7.5PoCv1.0.0v1.2.0+17 more2004-12-31
CVE-2004-2350 [HIGH] CVE-2004-2350: SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to exe
SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain privileges via the search_results parameter.
nvd
CVE-2003-1244P4HIGHCVSS 7.5PoCv2.0.0v2.0.1+1 more2003-12-31
CVE-2003-1244 [HIGH] CWE-89 CVE-2003-1244: SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers
SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php.
nvd
CVE-2006-4450P4MEDIUMCVSS 5.1PoCv2.0.202006-08-30
CVE-2006-4450 [MEDIUM] CVE-2006-4450: usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use
usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by submitting a URL to the avatarurl parameter, which is then used in an HTTP GET request.
nvd
CVE-2006-6421P4MEDIUMCVSS 6.0PoCv2.0v2.0.0+30 more2006-12-10
CVE-2006-6421 [MEDIUM] CVE-2006-6421: Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in
Cross-site scripting (XSS) vulnerability in the private message box implementation (privmsg.php) in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user.
nvd
CVE-2002-0902P4HIGHCVSS 7.5PoCv2.0.0v2.0_beta1+4 more2002-10-04
CVE-2002-0902 [HIGH] CVE-2002-0902: Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javasc
Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remote attackers to execute Javascript as other phpBB users by including a http:// and a double-quote (") in the [IMG] tag, which bypasses phpBB's security check, terminates the src parameter of the resulting HTML IMG tag, and injects the script.
nvd
CVE-2003-0486P4MEDIUMCVSS 5.0PoC≤ 2.0.52003-08-07
CVE-2003-0486 [MEDIUM] CVE-2003-0486: SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to
SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter.
nvd
CVE-2001-1472P4MEDIUMCVSS 4.6PoCv1.4.0v1.4.12001-08-03
CVE-2001-1472 [MEDIUM] CVE-2001-1472: SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 allows remote authenticated users
SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 allows remote authenticated users to execute arbitrary SQL commands and gain administrative access via the viewemail parameter.
nvd
CVE-2004-2130P4MEDIUMCVSS 4.3PoCv2.0.62004-12-23
CVE-2004-2130 [MEDIUM] CVE-2004-2130: Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attac
Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.
nvd
CVE-2005-0872P4MEDIUMCVSS 4.3PoCv1.0.12005-05-02
CVE-2005-0872 [MEDIUM] CVE-2005-0872: Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 modul
Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter.
nvd
1 / 4Next →