Phpbb

phpbb

Vendor: Phpbb Group • 81 CVEs

CVEs (81)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2006-0438 1Phpbb Group 1Phpbb Apr 16, 2026 Feb 6, 2006 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag...Show more Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php.Show less
CVE-2006-0437 1Phpbb Group 1Phpbb Apr 16, 2026 Feb 6, 2006 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_e...Show more Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">" characters.Show less
CVE-2006-0450 1Phpbb Group 1Phpbb Apr 16, 2026 Jan 27, 2006 N/A· v4 N/A· v3 5.0 MEDIUM· v2 phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the dat...Show more phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.Show less
CVE-2006-0063 1Phpbb Group 1Phpbb Apr 16, 2026 Jan 5, 2006 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and...Show more Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357.Show less
CVE-2005-3537 1Phpbb Group 1Phpbb Apr 16, 2026 Dec 22, 2005 N/A· v4 N/A· v3 5.0 MEDIUM· v2 A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs.
CVE-2005-3536 1Phpbb Group 1Phpbb Apr 16, 2026 Dec 22, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type.
CVE-2005-4358 1Phpbb Group 1Phpbb Apr 16, 2026 Dec 20, 2005 N/A· v4 N/A· v3 5.0 MEDIUM· v2 admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid function call that leaks the...Show more admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid function call that leaks the path in an error message.Show less
CVE-2005-4357 1Phpbb Group 1Phpbb Apr 16, 2026 Dec 20, 2005 N/A· v4 N/A· v3 2.6 LOW· v2 Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attribut...Show more Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attributes such as onmouseover.Show less
CVE-2005-3799 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 24, 2005 N/A· v4 N/A· v3 5.0 MEDIUM· v2 phpBB 2.0.18 allows remote attackers to obtain sensitive information via a large SQL query, which generates an error message that reveals SQL syntax or the full installation path.
CVE-2005-3420 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 1, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier into a preg_replace stat...Show more usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier into a preg_replace statement.Show less
CVE-2005-3419 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 1, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly initialized.
CVE-2005-3418 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 1, 2005 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (2) forward_page param...Show more Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (2) forward_page parameter to login.php, and (3) list_cat parameter to search.php, which are not initialized as variables.Show less
CVE-2005-3417 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 1, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_* variables...Show more phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_* variables.Show less
CVE-2005-3416 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 1, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_SESSION and $HTTP_SESS...Show more phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_SESSION and $HTTP_SESSION_VARS variables to strings instead of arrays, which causes an array_merge function call to fail.Show less
CVE-2005-3415 1Phpbb Group 1Phpbb Apr 16, 2026 Nov 1, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes...Show more phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes phpBB to unset the GLOBALS[] variable but not the GPC variable.Show less
CVE-2005-3310 1Phpbb Group 1Phpbb Apr 16, 2026 Oct 26, 2005 N/A· v4 N/A· v3 3.5 LOW· v2 Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, whic...Show more Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer, which renders malformed image types as HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer (CVE-2005-3312) and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in phpBB.Show less
CVE-2005-2161 1Phpbb Group 1Phpbb Apr 16, 2026 Jul 6, 2005 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url] tags.
CVE-2005-2086 1Phpbb Group 1Phpbb Apr 16, 2026 Jul 5, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.
CVE-2005-1193 1Phpbb Group 1Phpbb Apr 16, 2026 May 16, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag w...Show more The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4) activex:, (5) chrome:, or (6) script: URI scheme, as demonstrated using the URL tag.Show less
CVE-2005-1290 1Phpbb Group 1Phpbb Apr 16, 2026 May 2, 2005 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) u parameter to profile.php, (2) highlight parameter to viewtopic.p...Show more Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) u parameter to profile.php, (2) highlight parameter to viewtopic.php, or (3) forumname or forumdesc parameters to admin_forums.php.Show less

Previous 123 4 5 Next