CVE-2017-1000419 — phpBB Server-Side Request Forgery (SSRF)

Description

phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an attacker to perform port scanning, requesting internal content and potentially attacking such internal services via the web application.

How to fix CVE-2017-1000419

To remediate CVE-2017-1000419, upgrade the affected package to a fixed version below.

Packagist/phpbb/phpbb—upgrade to 3.2.1 or later

Is CVE-2017-1000419 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.2.0, < 3.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1000419
PATCHgithub.com/phpbb/phpbb-app
WEBwww.phpbb.com/community/viewtopic.php?f=14&p=14782136
WEBwww.sec-consult.com/en/blog/advisories/phpbb-server-side-request-forgery-vulnerability/index.html