CVE-2015-1432

Published: Feb 10, 2015Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.

Affected (1)

Products: Phpbb: Phpbb

Phpbb

1 product

Phpbb

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phpbb Phpbb	Up to 3.0.12

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (16)

http://seclists.org/oss-sec/2015/q1/373

Source: cve@mitre.org

http://www.securityfocus.com/bid/72399

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/100671

Source: cve@mitre.org

https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449

Source: cve@mitre.org

https://github.com/phpbb/phpbb/pull/3311

Source: cve@mitre.org

https://security.gentoo.org/glsa/201701-25

Source: cve@mitre.org

https://tracker.phpbb.com/browse/PHPBB3-13526

Source: cve@mitre.org

https://wiki.phpbb.com/Release_Highlights/3.0.13

Source: cve@mitre.org

http://seclists.org/oss-sec/2015/q1/373