CVE-2018-19274

HIGH

phpBB <3.2.4 - RCE

Title source: llm

Description

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

References (3)

[Exploit, Third Party Advisory] https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html

[Patch, Vendor Advisory] https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206

Scores

CVSS v3 7.2

EPSS 0.1446

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-1321

Status published

Affected Products (3)

phpbb/phpbb < 3.2.4

debian/debian_linux

phpbb/phpbb < 3.2.4Packagist

Timeline

Published Nov 17, 2018

Tracked Since Feb 18, 2026