CVE-2018-19274
HIGHphpBB < 3.2.4 - Authenticated Remote Code Execution via Phar Deserialization
Title source: llmDescription
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution/
Patch, Vendor Advisory x_refsource_confirm
https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html
Scores
CVSS v3
7.2
EPSS
0.0520
EPSS Percentile
91.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
CWE-1321
Status
published
Products (3)
debian/debian_linux
8.0
phpbb/phpbb
< 3.2.4
phpbb/phpbb
0 - 3.2.4Packagist
Published
Nov 17, 2018
Tracked Since
Feb 18, 2026