Unrated severityNVD Advisory· Published Dec 20, 2005· Updated Jun 16, 2026

CVE-2005-4357

Description

Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attributes such as onmouseover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

PhpBB/phpBB2 versions
cpe:2.3:a:phpbb_group:phpbb:2.0.18:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:phpbb_group:phpbb:2.0.18:*:*:*:*:*:*:*
- (no CPE)range: =2.0.18

Patches

Vulnerability mechanics

Root cause

"Permitted HTML tags are not sanitized to remove quote characters and event handler attributes, allowing injection of arbitrary JavaScript."

Attack vector

An attacker can inject arbitrary JavaScript by crafting a permitted HTML tag (e.g., `<B>`) that includes a quote character and an event handler attribute such as `onmouseover`. The advisory provides the example `<B C=">" onmouseover="alert(...)" X="<B ">` which, when rendered by a victim's browser, executes the attacker's script. No authentication is required if the board allows guests to post with HTML enabled, or if a registered user has "Always allow HTML: YES" in their profile.

Affected code

The vulnerability exists in phpBB 2.0.18's HTML tag handling when the "Allowed HTML tags" feature is enabled (tags such as `b`, `i`, `u`, `pre`). The advisory identifies that permitted HTML tags are not sanitized to prevent injection of arbitrary attributes, specifically in the `admin/admin_disallow.php` file (though the XSS vector itself is in the posting/messaging subsystem).

What the fix does

The bundle does not include a patch. The advisory references a phpBB forum thread (http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=352966) as the vendor's response, but no code diff is provided. The recommended remediation would be to strip or encode quote characters and disallow event handler attributes within permitted HTML tags, or to disable the "Allowed HTML tags" feature entirely.

Preconditions

configThe board must have 'Allowed HTML tags' enabled (e.g., b, i, u, pre)
authThe attacker must be able to post content (as a guest if guests can post with HTML, or as a registered user with 'Always allow HTML: YES')
inputThe victim must hover over or otherwise trigger the injected event handler (e.g., onmouseover)

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

securityreason.com/securityalert/269nvdExploitVendor Advisory
secunia.com/advisories/18125nvdVendor Advisory
marc.infonvd
secunia.com/advisories/18252nvd
securityreason.com/achievement_securityalert/29nvd
www.osvdb.org/21803nvd
www.phpbb.com/phpBB/viewtopic.phpnvd
www.securityfocus.com/archive/1/420537/100/0/threadednvd
www.vupen.com/english/advisories/2005/2991nvd
www.vupen.com/english/advisories/2006/0010nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000