Description
The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.
References (8)
Core 8
Core References
Mailing List mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2015/q1/373
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-25
Patch x_refsource_confirm
https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
Issue Tracking x_refsource_confirm
https://github.com/phpbb/phpbb/pull/3311
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/72399
Various Sources x_refsource_confirm
https://tracker.phpbb.com/browse/PHPBB3-13526
Third Party Advisory x_refsource_confirm
https://wiki.phpbb.com/Release_Highlights/3.0.13
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/100671
Scores
EPSS
0.0051
EPSS Percentile
66.4%
Details
CWE
CWE-352
Status
published
Products (1)
phpbb/phpbb
< 3.0.12
Published
Feb 10, 2015
Tracked Since
Feb 18, 2026