CVE-2018-19274

moderate-risk
Published 2018-11-17

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

Do I need to act?

!
14.5% chance of exploitation in next 30 days
EPSS score — higher than 86% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (2)

Phpbb

Affected Vendors

Debian Phpbb

References (6)

Exploit https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execut...
Mailing List https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html
Patch https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
Exploit https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execut...
Mailing List https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html
Patch https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
45
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 12/34 · Low
Exposure 7/34 · Low