Multiple Vulnerabilities in phpBB

vendor:

phpBB

by:

SecurityFocus

7.5

CVSS

HIGH

SQL Injection and Cross-Site Scripting

89, 79

CWE

Product Name: phpBB

Affected Version From: 2.0.7a

Affected Version To: 2.0.7a

Patch Exists: YES

Related CWE: N/A

CPE: a:phpbb:phpbb

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Multiple Vulnerabilities in phpBB

It has been reported that phpBB may be prone to multiple vulnerabilities that could allow an attacker to carry out SQL injection and cross-site scripting attacks. These vulnerabilities result from insufficient sanitization of user-supplied input via the 'id' parameter of 'admin_smilies.php' module and the 'style_id' parameter of 'admin_styles' module.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9942/info

It has been reported that phpBB may be prone to multiple vulnerabilities that could allow an attacker to carry out SQL injection and cross-site scripting attacks. These vulnerabilities result from insufficient sanitization of user-supplied input via the 'id' parameter of 'admin_smilies.php' module and the 'style_id' parameter of 'admin_styles' module.

phpBB versions 2.0.7a and prior are reported to be prone to these issues.

admin_smilies.php?mode=edit&id=[SQL]
admin_smilies.php?mode=delete&id=[SQL]
admin_smilies.php?mode=edit&id=[XSS]
admin_smilies.php?mode=delete&id=[XSS]
admin_styles.php?mode=edit&style_id=[SQL]
admin_styles.php?mode=delete&style_id=[SQL]
admin_styles.php?mode=edit&style_id=[XSS]
admin_styles.php?mode=delete&style_id=[XSS]