GHSA-vj3x-vfm4-hvxc

Source

https://github.com/advisories/GHSA-vj3x-vfm4-hvxc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vj3x-vfm4-hvxc/GHSA-vj3x-vfm4-hvxc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vj3x-vfm4-hvxc

Aliases

CVE-2019-16993

Published

2022-05-24T16:57:09Z

Modified

2024-04-24T17:57:36.508064Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

phpBB Cross-Site Request Forgery (CSRF)

Details

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.

Database specific

{
    "nvd_published_at": "2019-09-30T12:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T17:44:43Z"
}

References

Affected packages

Packagist / phpbb/phpbb

Package

Name: phpbb/phpbb
Purl: pkg:composer/phpbb/phpbb

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.7-PL1

Affected versions

3.*

3.0.12-RC1

3.0.12-RC2

3.0.12-RC3

3.0.12

3.0.13-PL1

3.0.13-RC1

3.0.13

3.0.14-RC1

3.0.14

3.1.0-a1

3.1.0-a2

3.1.0-a3

3.1.0-b1

3.1.0-b2

3.1.0-b3

3.1.0-b4

3.1.0-RC1

3.1.0-RC2

3.1.0-RC3

3.1.0-RC4

3.1.0-RC5

3.1.0-RC6

3.1.0

3.1.1

3.1.2-RC1

3.1.2

3.1.3-RC1

3.1.3-RC2

3.1.3

3.1.4-RC1

3.1.4-RC2

3.1.4

3.1.5-RC1

3.1.5

3.1.6-RC1

3.1.6