CVE-2018-19274
phpBB Remote Code Execution
7.2
HIGH
CVSS 3.1
EPSS 13.9%
Description
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
How to fix CVE-2018-19274
To remediate CVE-2018-19274, upgrade the affected package to a fixed version below.
- Debian/phpbb3—upgrade to 3.0.12-5+deb8u2 or later
- —upgrade to 3.2.4 or later
Is CVE-2018-19274 being exploited?
Moderate — EPSS is 13.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 3.0.12-5+deb8u2
- from 0, < 3.2.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |