phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:phpbb:phpbb:3.2.8:*:*:*:*:*:*:*" ] }