CVE-2019-13376

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-13376
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13376.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-13376
Aliases
Downstream
Published
2019-09-27T13:15:10.383Z
Modified
2026-04-10T04:12:11.922250Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

References

Affected packages

Git / github.com/phpbb/phpbb

Affected ranges

Type
GIT
Repo
https://github.com/phpbb/phpbb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
07767ab3e65377654286f4b16c4319e53fa86f04
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.2.7"
        }
    ]
}

Affected versions

release-3.*
release-3.2.7
release-3.2.7-RC1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13376.json"