Total
82 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2006-0437 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">" characters. | |||||
CVE-2006-4450 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 5.1 MEDIUM | N/A |
usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by submitting a URL to the avatarurl parameter, which is then used in an HTTP GET request. | |||||
CVE-2005-3415 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 7.5 HIGH | N/A |
phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes phpBB to unset the GLOBALS[] variable but not the GPC variable. | |||||
CVE-2006-1896 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 6.0 MEDIUM | N/A |
Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the original report does not clarify whether this issue is static code injection, eval injection, or another type of vulnerability. | |||||
CVE-2005-3417 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 7.5 HIGH | N/A |
phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_* variables. | |||||
CVE-2005-3799 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 5.0 MEDIUM | N/A |
phpBB 2.0.18 allows remote attackers to obtain sensitive information via a large SQL query, which generates an error message that reveals SQL syntax or the full installation path. | |||||
CVE-2005-3418 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (2) forward_page parameter to login.php, and (3) list_cat parameter to search.php, which are not initialized as variables. | |||||
CVE-2005-3537 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 5.0 MEDIUM | N/A |
A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs. | |||||
CVE-2006-0063 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357. | |||||
CVE-2005-3416 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 7.5 HIGH | N/A |
phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_SESSION and $HTTP_SESSION_VARS variables to strings instead of arrays, which causes an array_merge function call to fail. | |||||
CVE-2005-0614 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 7.5 HIGH | N/A |
sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a cookie. | |||||
CVE-2005-1196 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 7.5 HIGH | N/A |
SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive information and execute SQL commands via the cat parameter. | |||||
CVE-2006-1895 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 6.5 MEDIUM | N/A |
Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in overall_header.tpl, or (2) is used in an eval statement by includes/bbcode.php for bbcode.tpl. | |||||
CVE-2005-1114 | 2 Phpbb Group, Smartor | 2 Phpbb, Photo Album | 2023-12-10 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbitrary SQL commands via the (1) mode or (2) search parameters. | |||||
CVE-2006-1775 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c) groupcp.php, the (4) Theme Name field in (d) admin_styles.php, and the (5) Rank Title field in (e) admin_ranks.php. NOTE: the profile.php/Current password vector is already covered by CVE-2006-1603. | |||||
CVE-2004-1950 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 5.0 MEDIUM | N/A |
phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to spoof IP addresses. | |||||
CVE-2004-0730 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 6.8 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parameter in lang_faq.php as accessible from faq.php, or (3) the faq[0][0] parameter in lang_bbcode.php as accessible from faq.php. | |||||
CVE-2002-0533 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 5.0 MEDIUM | N/A |
phpBB 1.4.4 and earlier with BBcode allows remote attackers to cause a denial of service (CPU consumption) and corrupt the database via null \0 characters within [code] tags. | |||||
CVE-2001-1482 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 7.5 HIGH | N/A |
SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 allows remote attackers to execute arbitrary SQL queries via the $sortby variable. | |||||
CVE-2003-0486 | 1 Phpbb Group | 1 Phpbb | 2023-12-10 | 5.0 MEDIUM | N/A |
SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter. |