VYPR

phpBB

by PhpBB

Source repositories

CVEs (119)

  • CVE-2006-4893Sep 19, 2006
    risk 0.00cvss epss 0.03

    PHP remote file inclusion vulnerability in bb_usage_stats/includes/bb_usage_stats.php in phpBB XS 0.58 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter, a different vector than CVE-2006-4780.

  • CVE-2006-4758Sep 13, 2006
    risk 0.00cvss epss 0.02

    phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in .php%00.

  • CVE-2006-2134May 2, 2006
    risk 0.00cvss epss 0.10

    PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.

  • CVE-2006-1895Apr 20, 2006
    risk 0.00cvss epss 0.01

    Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in…

  • CVE-2006-1896Apr 20, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the…

  • CVE-2006-1775Apr 13, 2006
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c)…

  • CVE-2006-1603Apr 4, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via the cur_password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2006-0632Feb 10, 2006
    risk 0.00cvss epss 0.03

    The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords…

  • CVE-2006-0437Feb 6, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">"…

  • CVE-2006-0438Feb 6, 2006
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1)…

  • CVE-2006-0450Jan 27, 2006
    risk 0.00cvss epss 0.05

    phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.

  • CVE-2006-0063Jan 5, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of…

  • CVE-2005-3537Dec 22, 2005
    risk 0.00cvss epss 0.01

    A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs.

  • CVE-2005-3536Dec 22, 2005
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type.

  • CVE-2005-4357Dec 20, 2005
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attributes such as onmouseover.

  • CVE-2005-4358Dec 20, 2005
    risk 0.00cvss epss 0.02

    admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid function call that leaks the path in an error message.

  • CVE-2005-3799Nov 24, 2005
    risk 0.00cvss epss 0.02

    phpBB 2.0.18 allows remote attackers to obtain sensitive information via a large SQL query, which generates an error message that reveals SQL syntax or the full installation path.

  • CVE-2005-3418Nov 1, 2005
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (2) forward_page parameter to login.php, and (3) list_cat parameter to…

  • CVE-2005-3419Nov 1, 2005
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly initialized.

  • CVE-2005-3415Nov 1, 2005
    risk 0.00cvss epss 0.02

    phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes phpBB to unset the GLOBALS[] variable but not the GPC…

Page 4 of 6