CVE-2019-13376

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-13376
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13376.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-13376
Aliases
Downstream
Published
2019-09-27T13:15:10.383Z
Modified
2026-03-15T22:21:27.549352Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

References

Affected packages

Git / github.com/phpbb/phpbb

Affected ranges

Type
GIT
Repo
https://github.com/phpbb/phpbb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
07767ab3e65377654286f4b16c4319e53fa86f04
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.2.7"
        }
    ]
}

Affected versions

release-3.*
release-3.0-B1
release-3.0-B2
release-3.0-B3
release-3.0-B4
release-3.0-B5
release-3.0-RC1
release-3.0-RC2
release-3.0-RC3
release-3.0-RC4
release-3.0-RC5
release-3.0-RC6
release-3.0-RC7
release-3.0-RC8
release-3.0.0
release-3.0.1
release-3.0.1-RC1
release-3.0.10
release-3.0.10-RC1
release-3.0.10-RC2
release-3.0.10-RC3
release-3.0.11-RC1
release-3.0.11-RC2
release-3.0.12-RC1
release-3.0.12-RC2
release-3.0.12-RC3
release-3.0.13-PL1
release-3.0.13-RC1
release-3.0.14
release-3.0.14-RC1
release-3.0.2
release-3.0.2-RC1
release-3.0.2-RC2
release-3.0.3
release-3.0.3-RC1
release-3.0.4
release-3.0.4-RC1
release-3.0.5
release-3.0.5-RC1
release-3.0.6
release-3.0.6-RC1
release-3.0.6-RC2
release-3.0.6-RC3
release-3.0.6-RC4
release-3.0.7
release-3.0.7-PL1
release-3.0.7-RC1
release-3.0.7-RC2
release-3.0.8
release-3.0.8-RC1
release-3.0.9
release-3.0.9-RC1
release-3.0.9-RC2
release-3.0.9-RC3
release-3.0.9-RC4
release-3.1.0
release-3.1.0-RC1
release-3.1.0-RC2
release-3.1.0-RC3
release-3.1.0-RC4
release-3.1.0-RC5
release-3.1.0-RC6
release-3.1.0-a1
release-3.1.0-a2
release-3.1.0-a3
release-3.1.0-b1
release-3.1.0-b2
release-3.1.0-b3
release-3.1.0-b4
release-3.1.1
release-3.1.10
release-3.1.10-RC1
release-3.1.11
release-3.1.11-RC1
release-3.1.12
release-3.1.2
release-3.1.2-RC1
release-3.1.3
release-3.1.3-RC1
release-3.1.3-RC2
release-3.1.4
release-3.1.4-RC1
release-3.1.4-RC2
release-3.1.5
release-3.1.5-RC1
release-3.1.6
release-3.1.6-RC1
release-3.1.7
release-3.1.7-RC1
release-3.1.7-pl1
release-3.1.8
release-3.1.8-RC1
release-3.1.9
release-3.1.9-RC1
release-3.2.0
release-3.2.0-RC1
release-3.2.0-RC2
release-3.2.0-a1
release-3.2.0-b2
release-3.2.1
release-3.2.1-RC1
release-3.2.2
release-3.2.2-RC1
release-3.2.3
release-3.2.3-RC1
release-3.2.3-RC2
release-3.2.4
release-3.2.4-RC1
release-3.2.5
release-3.2.5-RC1
release-3.2.6
release-3.2.6-RC1
release-3.2.7
release-3.2.7-RC1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13376.json"