6.8

CVE-2015-1432

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpbbPhpbb Version <= 3.0.12
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.11% 0.617
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://seclists.org/oss-sec/2015/q1/373
https://security.gentoo.org/glsa/201701-25
https://wiki.phpbb.com/Release_Highlights/3.0.13
http://www.securityfocus.com/bid/72399
https://exchange.xforce.ibmcloud.com/vulnerabilities/100671
https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
https://github.com/phpbb/phpbb/pull/3311
https://tracker.phpbb.com/browse/PHPBB3-13526