CVE-2019-13376 — phpBB Cross-Site Request Forgery (CSRF)

Description

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

How to fix CVE-2019-13376

To remediate CVE-2019-13376, upgrade the affected package to a fixed version below.

Debian/phpbb3—upgrade to 3.0.12-5+deb8u4 or later
—upgrade to 3.0.12-5+deb8u4 or later
—upgrade to 3.2.8 or later

Is CVE-2019-13376 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.0.12-5+deb8u4
from 0, < 3.0.12-5+deb8u4
from 0, < 3.2.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-13376
PATCHgithub.com/phpbb/phpbb-app
WEBblog.phpbb.com/category/security
WEBssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss