vendor:
phpBB
by:
Axl And CereBrums
7.5
CVSS
HIGH
Code Injection
89
CWE
Product Name: phpBB
Affected Version From: phpBB version <= 2.0.13
Affected Version To: phpBB version <= 2.0.13
Patch Exists: NO
Related CWE:
CPE: a:phpbb_group:phpbb:2.0.13
Platforms Tested:
2005
phpBB <=2.0.13 'downloads.php' Mod
This script exploits a code injection vulnerability in the 'downloads.php' module of phpBB version <= 2.0.13. By manipulating the 'user_id' parameter, an attacker can execute arbitrary SQL queries and retrieve sensitive information, such as the MD5 hash of the user's password.
Mitigation:
Upgrade to a patched version of phpBB or apply the necessary security patches provided by the vendor. Additionally, ensure that user input is properly validated and sanitized before being used in SQL queries.
