phpBB
by PhpBB
Source repositories
CVEs (119)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-1431 | 0.00 | — | 0.03 | Feb 10, 2015 | Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite." | |||
| CVE-2013-5724 | 0.00 | — | 0.00 | Sep 12, 2013 | Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations. | |||
| CVE-2010-1630 | 0.00 | — | 0.01 | May 19, 2010 | Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in circumstances related to a "global announcement." | |||
| CVE-2010-1627 | 0.00 | — | 0.01 | May 19, 2010 | feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass intended access restrictions via unspecified attack vectors related to permission settings on a private forum. | |||
| CVE-2008-7143 | 0.00 | — | 0.01 | Sep 1, 2009 | phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote attackers to hijack the session via a post in the thread containing a URL to a remotely hosted image, which might include the session ID in the… | |||
| CVE-2008-6507 | 0.00 | — | 0.01 | Mar 23, 2009 | Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of password prompts for a private message that quotes a post in a password-protected forum. | |||
| CVE-2008-6506 | 0.00 | — | 0.01 | Mar 23, 2009 | Unspecified vulnerability in phpBB before 3.0.4 allows attackers to bypass intended access restrictions and activate de-activated accounts via unknown vectors. | |||
| CVE-2008-4125 | 0.00 | — | 0.02 | Sep 18, 2008 | The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to obtain potentially sensitive information, as demonstrated by a cross-application attack against WordPress, a different vulnerability than… | |||
| CVE-2008-3224 | 0.00 | — | 0.01 | Jul 18, 2008 | Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() being used within login_box()." | |||
| CVE-2008-1766 | 0.00 | — | 0.01 | Apr 12, 2008 | Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-related bugs." | |||
| CVE-2008-0471 | 0.00 | — | 0.01 | Jan 29, 2008 | Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall action. | |||
| CVE-2007-5033 | 0.00 | — | 0.01 | Sep 21, 2007 | Cross-site scripting (XSS) vulnerability in profile.php in phpBB XS 2 allows remote attackers to inject arbitrary web script or HTML via the selfdes parameter in a profile_info editprofile action. | |||
| CVE-2007-1695 | 0.00 | — | 0.02 | Mar 27, 2007 | PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks… | |||
| CVE-2006-2219 | 0.00 | — | 0.01 | Feb 8, 2007 | phpBB 2.0.20 does not verify user-specified input variable types before being passed to type-dependent functions, which allows remote attackers to obtain sensitive information, as demonstrated by the (1) mode parameter to memberlist.php and the (2) highlight parameter to… | |||
| CVE-2006-2220 | 0.00 | — | 0.01 | Feb 8, 2007 | phpBB 2.0.20 does not properly verify user-specified input variables used as limits to SQL queries, which allows remote attackers to obtain sensitive information via a negative LIMIT specification, as demonstrated by the start parameter to memberlist.php, which reveals the SQL… | |||
| CVE-2006-6840 | 0.00 | — | 0.02 | Dec 31, 2006 | Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to a "negative start parameter." | |||
| CVE-2006-6841 | 0.00 | — | 0.02 | Dec 31, 2006 | Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack vectors. | |||
| CVE-2006-6839 | 0.00 | — | 0.02 | Dec 31, 2006 | Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to "criteria for 'bad' redirection targets." | |||
| CVE-2006-6508 | 0.00 | — | 0.01 | Dec 14, 2006 | Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as an arbitrary user via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2006-5435 | 0.00 | — | 0.01 | Oct 20, 2006 | PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: CVE and the vendor dispute this vulnerability because $phpbb_root_path is defined before use |
- CVE-2015-1431Feb 10, 2015risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite."
- CVE-2013-5724Sep 12, 2013risk 0.00cvss —epss 0.00
Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations.
- CVE-2010-1630May 19, 2010risk 0.00cvss —epss 0.01
Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in circumstances related to a "global announcement."
- CVE-2010-1627May 19, 2010risk 0.00cvss —epss 0.01
feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass intended access restrictions via unspecified attack vectors related to permission settings on a private forum.
- CVE-2008-7143Sep 1, 2009risk 0.00cvss —epss 0.01
phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote attackers to hijack the session via a post in the thread containing a URL to a remotely hosted image, which might include the session ID in the…
- CVE-2008-6507Mar 23, 2009risk 0.00cvss —epss 0.01
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of password prompts for a private message that quotes a post in a password-protected forum.
- CVE-2008-6506Mar 23, 2009risk 0.00cvss —epss 0.01
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to bypass intended access restrictions and activate de-activated accounts via unknown vectors.
- CVE-2008-4125Sep 18, 2008risk 0.00cvss —epss 0.02
The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to obtain potentially sensitive information, as demonstrated by a cross-application attack against WordPress, a different vulnerability than…
- CVE-2008-3224Jul 18, 2008risk 0.00cvss —epss 0.01
Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() being used within login_box()."
- CVE-2008-1766Apr 12, 2008risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-related bugs."
- CVE-2008-0471Jan 29, 2008risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall action.
- CVE-2007-5033Sep 21, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in profile.php in phpBB XS 2 allows remote attackers to inject arbitrary web script or HTML via the selfdes parameter in a profile_info editprofile action.
- CVE-2007-1695Mar 27, 2007risk 0.00cvss —epss 0.02
PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks…
- CVE-2006-2219Feb 8, 2007risk 0.00cvss —epss 0.01
phpBB 2.0.20 does not verify user-specified input variable types before being passed to type-dependent functions, which allows remote attackers to obtain sensitive information, as demonstrated by the (1) mode parameter to memberlist.php and the (2) highlight parameter to…
- CVE-2006-2220Feb 8, 2007risk 0.00cvss —epss 0.01
phpBB 2.0.20 does not properly verify user-specified input variables used as limits to SQL queries, which allows remote attackers to obtain sensitive information via a negative LIMIT specification, as demonstrated by the start parameter to memberlist.php, which reveals the SQL…
- CVE-2006-6840Dec 31, 2006risk 0.00cvss —epss 0.02
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to a "negative start parameter."
- CVE-2006-6841Dec 31, 2006risk 0.00cvss —epss 0.02
Certain forms in phpBB before 2.0.22 lack session checks, which has unknown impact and remote attack vectors.
- CVE-2006-6839Dec 31, 2006risk 0.00cvss —epss 0.02
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact and remote attack vectors related to "criteria for 'bad' redirection targets."
- CVE-2006-6508Dec 14, 2006risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as an arbitrary user via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2006-5435Oct 20, 2006risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in groupcp.php in phpBB 2.0.10 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: CVE and the vendor dispute this vulnerability because $phpbb_root_path is defined before use
Page 3 of 6