CVE-2019-13376
MEDIUMphpBB 3.2.7 - Cross-Site Request Forgery in Remote Avatar Feature
Title source: llmDescription
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://blog.phpbb.com/category/security/
Exploit, Third Party Advisory x_refsource_misc
https://ssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss
Scores
CVSS v3
6.5
EPSS
0.0068
EPSS Percentile
47.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
CWE-79
Status
published
Products (2)
phpbb/phpbb
3.2.7
phpbb/phpbb
0 - 3.2.8Packagist
Published
Sep 27, 2019
Tracked Since
Feb 18, 2026