First published: Fri Sep 27 2019(Updated: )
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Phpbb Phpbb | =3.2.7 | |
composer/phpbb/phpbb | <=3.2.7 | 3.2.8 |
=3.2.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this phpBB vulnerability is CVE-2019-13376.
The severity of CVE-2019-13376 is medium with a severity score of 6.5 out of 10.
CVE-2019-13376 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature.
CSRF Token Hijacking is when an attacker uses a Cross-Site Request Forgery vulnerability to steal or manipulate a user's session token.
The impact of CVE-2019-13376 is stored XSS (Cross-Site Scripting) which can lead to unauthorized access, data theft, and potential further exploitation.