1. CVE-Search
  2. CVE-2018-19274
ID CVE-2018-19274
Summary Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
References
Vulnerable Configurations
  • cpe:2.3:a:phpbb:phpbb:-:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:-:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc7:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc7:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.0:rc8:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.0:rc8:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:alpha3:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.3:-:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.3:-:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.3:rc1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.3:rc1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.7:patch_level1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.7:patch_level1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.8:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.9:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.10:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.10:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.1.11:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.3:-:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.3:-:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.3:rc1:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.3:rc1:*:*:*:*:*:*
  • cpe:2.3:a:phpbb:phpbb:3.2.3:rc2:*:*:*:*:*:*
    cpe:2.3:a:phpbb:phpbb:3.2.3:rc2:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 02-12-2022 - 19:21)
Impact:
Exploitability:
CWE CWE-1321
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
refmap via4
confirm https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
misc https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution/
mlist [debian-lts-announce] 20181124 [SECURITY] [DLA 1593-1] phpbb3 security update
Last major update 02-12-2022 - 19:21
Published 17-11-2018 - 13:29
Last modified 02-12-2022 - 19:21
Back to Top