CVE-2019-13376

MEDIUM

phpBB 3.2.7 - Cross-Site Request Forgery in Remote Avatar Feature

Title source: llm
STIX 2.1

Description

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

References (2)

Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://blog.phpbb.com/category/security/

Scores

CVSS v3 6.5
EPSS 0.0068
EPSS Percentile 47.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352 CWE-79
Status published
Products (2)
phpbb/phpbb 3.2.7
phpbb/phpbb 0 - 3.2.8Packagist
Published Sep 27, 2019
Tracked Since Feb 18, 2026