CVE-2018-19274

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-19274
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19274.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-19274
Aliases
Downstream
Published
2018-11-17T13:29:00.240Z
Modified
2026-04-10T04:07:31.552630Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

References

Affected packages

Git / github.com/phpbb/phpbb

Affected ranges

Type
GIT
Repo
https://github.com/phpbb/phpbb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
023ec01611123c426a5aeaf812e50fb1ade43c0e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.4"
        }
    ]
}

Affected versions

release-3.*
release-3.2.4-RC1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19274.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    }
]