CVE-2019-13376

MEDIUM6.5EPSS 0.06%

phpbb3 - security update

發布日:2022/5/24修改日:2026/3/9

描述

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

受影響套件(3)

Debian/phpbb3from 0, < 3.0.12-5+deb8u4
Debian/phpbb3from 0, < 3.0.12-5+deb8u4
Packagist/phpbb/phpbbfrom 0, < 3.2.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-13376
PATCHhttps://github.com/phpbb/phpbb-app
WEBhttps://blog.phpbb.com/category/security
WEBhttps://ssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss