phpBB
by PhpBB
Source repositories
CVEs (119)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-0762 | 0.03 | — | 0.03 | Feb 6, 2007 | PHP remote file inclusion vulnerability in includes/functions.php in phpBB++ Build 100 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||
| CVE-2006-5209 | 0.03 | — | 0.02 | Oct 10, 2006 | PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||
| CVE-2006-5191 | 0.03 | — | 0.03 | Oct 10, 2006 | PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||
| CVE-2006-4450 | 0.03 | — | 0.04 | Aug 30, 2006 | usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by submitting a URL to the avatarurl parameter, which is then used in an HTTP GET request. | |||
| CVE-2006-2865 | 0.03 | — | 0.03 | Jun 6, 2006 | PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: followup posts have disputed this issue, stating that template.php does not appear in phpBB and does not use a $page… | |||
| CVE-2006-2359 | 0.03 | — | 0.01 | May 15, 2006 | Cross-site scripting (XSS) vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this issue might be resultant from SQL injection. | |||
| CVE-2006-2360 | 0.03 | — | 0.01 | May 15, 2006 | SQL injection vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2005-1378 | 0.03 | — | 0.02 | May 3, 2005 | SQL injection vulnerability in posting_notes.php in the notes module for phpBB allows remote attackers to execute arbitrary SQL commands via the p parameter, which is used in the $post_id variable, and other attack vectors. | |||
| CVE-2005-1196 | 0.03 | — | 0.02 | May 2, 2005 | SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive information and execute SQL commands via the cat parameter. | |||
| CVE-2004-2350 | 0.03 | — | 0.01 | Dec 31, 2004 | SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain privileges via the search_results parameter. | |||
| CVE-2004-1943 | 0.03 | — | 0.03 | Apr 19, 2004 | PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter. | |||
| CVE-2003-1244 | 0.03 | — | 0.01 | Dec 31, 2003 | SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php. | |||
| CVE-2003-1216 | 0.03 | — | 0.02 | Nov 27, 2003 | SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter. | |||
| CVE-2002-2176 | 0.03 | — | 0.03 | Dec 31, 2002 | SQL injection vulnerability in Gender MOD 1.1.3 allows remote attackers to gain administrative access via the user_level parameter in the User Profile page. | |||
| CVE-2001-1472 | 0.03 | — | 0.03 | Aug 3, 2001 | SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 allows remote authenticated users to execute arbitrary SQL commands and gain administrative access via the viewemail parameter. | |||
| CVE-2004-1315 | 0.02 | — | 0.72 | Nov 12, 2004 | viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into… | |||
| CVE-2023-5917 | 0.00 | — | 0.01 | Nov 2, 2023 | A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting.… | |||
| CVE-2020-8226 | 0.00 | — | 0.01 | Aug 17, 2020 | A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. | |||
| CVE-2011-0544 | 0.00 | — | 0.01 | Nov 13, 2019 | phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag. | |||
| CVE-2015-1432 | 0.00 | — | 0.01 | Feb 10, 2015 | The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors. |
- CVE-2007-0762Feb 6, 2007risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in includes/functions.php in phpBB++ Build 100 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
- CVE-2006-5209Oct 10, 2006risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
- CVE-2006-5191Oct 10, 2006risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
- CVE-2006-4450Aug 30, 2006risk 0.03cvss —epss 0.04
usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by submitting a URL to the avatarurl parameter, which is then used in an HTTP GET request.
- CVE-2006-2865Jun 6, 2006risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: followup posts have disputed this issue, stating that template.php does not appear in phpBB and does not use a $page…
- CVE-2006-2359May 15, 2006risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this issue might be resultant from SQL injection.
- CVE-2006-2360May 15, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2005-1378May 3, 2005risk 0.03cvss —epss 0.02
SQL injection vulnerability in posting_notes.php in the notes module for phpBB allows remote attackers to execute arbitrary SQL commands via the p parameter, which is used in the $post_id variable, and other attack vectors.
- CVE-2005-1196May 2, 2005risk 0.03cvss —epss 0.02
SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive information and execute SQL commands via the cat parameter.
- CVE-2004-2350Dec 31, 2004risk 0.03cvss —epss 0.01
SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain privileges via the search_results parameter.
- CVE-2004-1943Apr 19, 2004risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter.
- CVE-2003-1244Dec 31, 2003risk 0.03cvss —epss 0.01
SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php.
- CVE-2003-1216Nov 27, 2003risk 0.03cvss —epss 0.02
SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter.
- CVE-2002-2176Dec 31, 2002risk 0.03cvss —epss 0.03
SQL injection vulnerability in Gender MOD 1.1.3 allows remote attackers to gain administrative access via the user_level parameter in the User Profile page.
- CVE-2001-1472Aug 3, 2001risk 0.03cvss —epss 0.03
SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 allows remote authenticated users to execute arbitrary SQL commands and gain administrative access via the viewemail parameter.
- CVE-2004-1315Nov 12, 2004risk 0.02cvss —epss 0.72
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into…
- CVE-2023-5917Nov 2, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting.…
- CVE-2020-8226Aug 17, 2020risk 0.00cvss —epss 0.01
A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.
- CVE-2011-0544Nov 13, 2019risk 0.00cvss —epss 0.01
phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag.
- CVE-2015-1432Feb 10, 2015risk 0.00cvss —epss 0.01
The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.
Page 2 of 6