CVE-2018-19274

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-19274
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19274.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-19274
Aliases
Related
Published
2018-11-17T13:29:00Z
Modified
2024-09-03T02:07:51.745040Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

References

Affected packages

Git / github.com/phpbb/phpbb

Affected ranges

Type
GIT
Repo
https://github.com/phpbb/phpbb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

release-3.*

release-3.0-B1
release-3.0-B2
release-3.0-B3
release-3.0-B4
release-3.0-B5
release-3.0-RC1
release-3.0-RC2
release-3.0-RC3
release-3.0-RC4
release-3.0-RC5
release-3.0-RC6
release-3.0-RC7
release-3.0-RC8
release-3.0.0
release-3.0.1
release-3.0.1-RC1
release-3.0.10
release-3.0.10-RC1
release-3.0.10-RC2
release-3.0.10-RC3
release-3.0.11-RC1
release-3.0.11-RC2
release-3.0.12-RC1
release-3.0.12-RC2
release-3.0.12-RC3
release-3.0.13-PL1
release-3.0.13-RC1
release-3.0.14
release-3.0.14-RC1
release-3.0.2
release-3.0.2-RC1
release-3.0.2-RC2
release-3.0.3
release-3.0.3-RC1
release-3.0.4
release-3.0.4-RC1
release-3.0.5
release-3.0.5-RC1
release-3.0.6
release-3.0.6-RC1
release-3.0.6-RC2
release-3.0.6-RC3
release-3.0.6-RC4
release-3.0.7
release-3.0.7-PL1
release-3.0.7-RC1
release-3.0.7-RC2
release-3.0.8
release-3.0.8-RC1
release-3.0.9
release-3.0.9-RC1
release-3.0.9-RC2
release-3.0.9-RC3
release-3.0.9-RC4
release-3.1.0
release-3.1.0-RC1
release-3.1.0-RC2
release-3.1.0-RC3
release-3.1.0-RC4
release-3.1.0-RC5
release-3.1.0-RC6
release-3.1.0-a1
release-3.1.0-a2
release-3.1.0-a3
release-3.1.0-b1
release-3.1.0-b2
release-3.1.0-b3
release-3.1.0-b4
release-3.1.1
release-3.1.10
release-3.1.10-RC1
release-3.1.11
release-3.1.11-RC1
release-3.1.12
release-3.1.2
release-3.1.2-RC1
release-3.1.3
release-3.1.3-RC1
release-3.1.3-RC2
release-3.1.4
release-3.1.4-RC1
release-3.1.4-RC2
release-3.1.5
release-3.1.5-RC1
release-3.1.6
release-3.1.6-RC1
release-3.1.7
release-3.1.7-RC1
release-3.1.7-pl1
release-3.1.8
release-3.1.8-RC1
release-3.1.9
release-3.1.9-RC1
release-3.2.0
release-3.2.0-RC1
release-3.2.0-RC2
release-3.2.0-a1
release-3.2.0-b2
release-3.2.1
release-3.2.1-RC1
release-3.2.2
release-3.2.2-RC1
release-3.2.3
release-3.2.3-RC1
release-3.2.3-RC2
release-3.2.4-RC1