Phpbb Group Phpbb vulnerabilities
75 known vulnerabilities affecting phpbb_group/phpbb.
Total CVEs
75
CISA KEV
0
Public exploits
20
Exploited in wild
1
Severity breakdown
CRITICAL7HIGH22MEDIUM44LOW2
Vulnerabilities
Page 2 of 4
CVE-2002-0473P3CRITICALCVSS 10.0v2.0_beta1v2.0_rc1+2 more2002-08-12
CVE-2002-0473 [CRITICAL] CVE-2002-0473: db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier allows remote attackers to execute arbitrary code
db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier allows remote attackers to execute arbitrary code from remote servers via the phpbb_root_path parameter.
nvd
CVE-2005-3415P3HIGHCVSS 7.5v2.0.0v2.0.1+25 more2005-11-01
CVE-2005-3415 [HIGH] CVE-2005-3415: phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister glo
phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes phpBB to unset the GLOBALS[] variable but not the GPC variable.
nvd
CVE-2005-1047P3HIGHCVSS 7.5v2.0.0v2.0.1+22 more2005-04-07
CVE-2005-1047 [HIGH] CVE-2005-1047: Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files th
Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files that can be uploaded, which allows remote authenticated users to execute arbitrary commands by uploading PHP files, then directly requesting them from the uploads directory.
nvd
CVE-2005-3419P3HIGHCVSS 7.5v2.0.0v2.0.1+25 more2005-11-01
CVE-2005-3419 [HIGH] CVE-2005-3419: SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execut
SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly initialized.
nvd
CVE-2005-3420P4HIGHCVSS 7.5v2.0.0v2.0.1+25 more2005-11-01
CVE-2005-3420 [HIGH] CVE-2005-3420: usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execut
usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier into a preg_replace statement.
nvd
CVE-2005-3416P4HIGHCVSS 7.5v2.0.0v2.0.1+25 more2005-11-01
CVE-2005-3416 [HIGH] CVE-2005-3416: phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not be
phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_SESSION and $HTTP_SESSION_VARS variables to strings instead of arrays, which causes an array_merge function call to fail.
nvd
CVE-2005-3417P4HIGHCVSS 7.5v2.0.0v2.0.1+25 more2005-11-01
CVE-2005-3417 [HIGH] CVE-2005-3417: phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attacke
phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_* variables.
nvd
CVE-2007-1695P4CRITICALCVSS 10.0v2.0.192007-03-27
CVE-2007-1695 [CRITICAL] CVE-2007-1695: PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remot
PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks for a global constant and cannot be accessed directly
nvd
CVE-2005-3536P4HIGHCVSS 7.5v2.0.0v2.0.1+25 more2005-12-22
CVE-2005-3536 [HIGH] CVE-2005-3536: SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQ
SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type.
nvd
CVE-2005-1114P4HIGHCVSS 7.5v2.0.0v2.0.1+16 more2005-05-02
CVE-2005-1114 [HIGH] CVE-2005-1114: Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow rem
Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbitrary SQL commands via the (1) mode or (2) search parameters.
nvd
CVE-2002-1537P4CRITICALCVSS 10.0v2.0.02003-03-31
CVE-2002-1537 [CRITICAL] CVE-2002-1537: admin_ug_auth.php in phpBB 2.0.0 allows local users to gain administrator privileges by directly cal
admin_ug_auth.php in phpBB 2.0.0 allows local users to gain administrator privileges by directly calling admin_ug_auth.php with modifed form fields such as "u".
nvd
CVE-2006-5435P4HIGHCVSS 7.5≤ 2.0.102006-10-20
CVE-2006-5435 [HIGH] CVE-2006-5435: PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote att
PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: CVE and the vendor dispute this vulnerability because $phpbb_root_path is defined before use
nvd
CVE-2006-6840P4CRITICALCVSS 10.0v1.2.4_rc3v2.0.18+2 more2006-12-31
CVE-2006-6840 [CRITICAL] CVE-2006-6840: Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors relate
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to a "negative start parameter."
nvd
CVE-2006-1895P4MEDIUMCVSS 6.5v2.0.92006-04-20
CVE-2006-1895 [MEDIUM] CVE-2006-1895: Direct static code injection vulnerability in includes/template.php in phpBB allows remote authentic
Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in overall_header.tpl, or (2) is used in an eval statement by includes/bbcode.php for
nvd
CVE-2006-6839P4CRITICALCVSS 10.0v1.2.4_rc3v2.0.18+2 more2006-12-31
CVE-2006-6839 [CRITICAL] CVE-2006-6839: Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors relate
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to "criteria for 'bad' redirection targets."
nvd
CVE-2006-6841P4CRITICALCVSS 10.0v1.2.4_rc3v2.0.18+2 more2006-12-31
CVE-2006-6841 [CRITICAL] CVE-2006-6841: Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack
Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack vectors.
nvd
CVE-2001-1482P4HIGHCVSS 7.5v1.4.22001-12-31
CVE-2001-1482 [HIGH] CVE-2001-1482: SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 allows remote attackers to execute
SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 allows remote attackers to execute arbitrary SQL queries via the $sortby variable.
nvd
CVE-2006-0632P4MEDIUMCVSS 6.4v2.0.0v2.0.1+27 more2006-02-10
CVE-2006-0632 [MEDIUM] CVE-2006-0632: The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to
The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords for existing accounts or create new accounts.
nvd
CVE-2006-4758P4MEDIUMCVSS 4.6v2.0.212006-09-13
CVE-2006-4758 [MEDIUM] CVE-2006-4758: phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated adm
phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in .php%00.
nvd
CVE-2005-0258P4MEDIUMCVSS 5.0v2.0.0v2.0.1+19 more2005-03-14
CVE-2005-0258 [MEDIUM] CVE-2005-0258: Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0
Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter.
nvd