CVE Daily
← All tags

Tag: phpBB

All CVEs associated with "phpBB". Page 2/3 • 253 CVEs.

Subscribe CVEs: RSS for “phpBB”  ·  RSS (High+Critical only)

About “phpBB”

A curated feed of “phpBB”-related CVEs appears below. We currently track 253 CVEs for this tag (all time). In the last 365 days, 4 were published. Average CVSS is 6.6 (all time; 7.5 over 365d), and 51% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-352 - Cross-Site Request Forgery (CSRF), CWE-640 - Weak Password Recovery Mechanism for Forgotten Password, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a LOW impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2006-10-17
Medium

CVE-2006-5305

PHP remote file inclusion vulnerability in lat2cyr.php in the lat2cyr 1.0.1 and earlier phpbb module allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2006-5306

Multiple PHP remote file inclusion vulnerabilities in the Journals System module 1.0.2 (RC2) and earlier for phpBB allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_pat…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2006-10-13
Medium

CVE-2006-5284

PHP remote file inclusion vulnerability in auth/phpbb.inc.php in Shen Cheng-Da PHP News Reader (aka pnews) 2.6.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CFG…

CVSS: 5.1 CWE: N/A View on NVD
2006-10-11
High

CVE-2006-5235

PHP remote file inclusion vulnerability in includes/functions_kb.php in Dimension of phpBB 0.2.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path par…

CVSS: 7.5 CWE: N/A View on NVD
2006-10-10
High

CVE-2006-5222

Multiple PHP remote file inclusion vulnerabilities in Dimension of phpBB 0.2.6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) inclu…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-5223

PHP remote file inclusion vulnerability in includes/functions_user_viewed_posts.php in the Nivisec User Viewed Posts Tracker module 1.0 and earlier for phpBB allows remote attackers to execute arbitr…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-5224

PHP remote file inclusion vulnerability in includes/logger_engine.php in Dimitri Seitz Security Suite IP Logger 1.0.0 in dwingmods for phpBB allows remote attackers to execute arbitrary PHP code via…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-5187

PHP remote file inclusion vulnerability in includes/functions.php in Bulletin Board Ace (BBaCE) 3.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-5191

PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via…

CVSS: 5.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2006-5209

PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execu…

CVSS: 7.5 CWE: N/A View on NVD
2006-09-29
Medium

CVE-2006-5094

PHP remote file inclusion vulnerability in includes/functions_kb.php in the phpBB XS 2 (Spain version) allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter…

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2006-5077

PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Chris Smith Minerva Build 238 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the php…

CVSS: 5.1 CWE: N/A View on NVD
High

CVE-2006-5083

PHP remote file inclusion vulnerability in includes/functions_portal.php in Integrated MODs (IM) Portal 1.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_…

CVSS: 7.5 CWE: N/A View on NVD
2006-09-25
High

CVE-2006-4968

PHP remote file inclusion vulnerability in includes/functions_admin.php in PNphpBB 1.2g allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

CVSS: 7.5 CWE: N/A View on NVD
2006-09-19
High

CVE-2006-4893

PHP remote file inclusion vulnerability in bb_usage_stats/includes/bb_usage_stats.php in phpBB XS 0.58 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_pa…

CVSS: 7.5 CWE: N/A View on NVD
2006-09-14
High

CVE-2006-4779

PHP remote file inclusion vulnerability in includes/functions_portal.php in Vitrax Premodded phpBB 1.0.6-R3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_ro…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-4780

PHP remote file inclusion vulnerability in includes/functions.php in phpBB XS 0.58 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

CVSS: 7.5 CWE: N/A View on NVD
2006-09-13
Medium

CVE-2006-4758

phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php wi…

CVSS: 4.6 CWE: N/A View on NVD
2006-09-09
Medium

CVE-2006-4664

PHP remote file inclusion vulnerability in includes/functions_portal.php in Premod Shadow 2.7.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path para…

CVSS: 5.1 CWE: N/A View on NVD
2006-08-30
Medium

CVE-2006-4450

usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, allows remote attackers to use the server as a web proxy by submitting a URL to the avatarurl parameter, which is then used in an…

CVSS: 5.1 CWE: N/A View on NVD
2006-08-26
High

CVE-2006-4365

Multiple PHP remote file inclusion vulnerabilities in VistaBB 2.0.33 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) includes/functi…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-4367

SQL injection vulnerability in alltopics.php in the All Topics Hack 1.5.0 and earlier for phpBB 2.0.21 allows remote attackers to execute arbitrary SQL commands via the start parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-4368

PHP remote file inclusion vulnerability in includes/functions_portal.php in IntegraMOD Portal 2.x and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path pa…

CVSS: 7.5 CWE: N/A View on NVD
Low

CVE-2006-4369

Absolute path traversal vulnerability in includes/functions_portal.php in IntegraMOD Portal 2.x and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via an…

CVSS: 2.6 CWE: N/A View on NVD
2006-08-09
High

CVE-2006-4036

PHP remote file inclusion vulnerability in includes/usercp_register.php in ZoneMetrics ZoneX Publishers Gold Edition 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL…

CVSS: 7.5 CWE: N/A View on NVD
2006-07-31
High

CVE-2006-3940

Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via (1) the ar parameter in auction_room.php and (2) the u parameter in auction_store.…

CVSS: 7.5 CWE: N/A View on NVD
2006-07-21
Medium

CVE-2006-3735

Multiple PHP remote file inclusion vulnerabilities in Mail2Forum (module for phpBB) 1.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the m2f_root_path parameter to (1…

CVSS: 5.1 CWE: N/A View on NVD
2006-07-03
Medium

CVE-2006-3340

Multiple PHP remote file inclusion vulnerabilities in Pearl For Mambo module 1.6 for Mambo, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the (1) phpbb_ro…

CVSS: 5.1 CWE: N/A View on NVD
2006-06-28
Medium

CVE-2006-3269

PHP remote file inclusion vulnerability in includes/functions_cms.php in THoRCMS 1.3.1 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter.

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2006-3257

Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.7.7 allow remote attackers to inject arbitrary HTML or web script via unspecified attack vectors, possibly including (1) calendar/my…

CVSS: 4.3 CWE: N/A View on NVD
2006-06-15
High

CVE-2006-3028

PHP remote file inclusion vulnerability in stat_modules/users_age/module.php in Minerva 2.0.8a Build 237 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_…

CVSS: 7.5 CWE: N/A View on NVD
2006-06-06
High

CVE-2006-2865

PHP remote file inclusion vulnerability in template.php in phpBB 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: followup posts have disputed this issu…

CVSS: 7.5 CWE: N/A View on NVD
2006-06-05
Medium

CVE-2006-2828

Global variable overwrite vulnerability in PHP-Nuke allows remote attackers to conduct remote PHP file inclusion attacks via a modified phpbb_root_path parameter to the admin scripts (1) index.php, (…

CVSS: 6.4 CWE: N/A View on NVD
2006-06-01
Medium

CVE-2006-2735

PHP remote file inclusion vulnerability in language/lang_english/lang_activity.php in Activity MOD Plus (Amod) 1.1.0, as used with phpBB when register_globals is enabled, allows remote attackers to e…

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2006-2736

PHP remote file inclusion vulnerability in blend_data/blend_common.php in Blend Portal 1.2.0, as used with phpBB when register_globals is enabled, allows remote attackers to execute arbitrary PHP cod…

CVSS: 5.1 CWE: N/A View on NVD
2006-05-31
High

CVE-2006-2693

Directory traversal vulnerability in admin/admin_hacks_list.php in Nivisec Hacks List 1.20 and earlier for phpBB, when register_globals is enabled, allows remote attackers to read arbitrary files via…

CVSS: 7.1 CWE: N/A View on NVD
2006-05-22
High

CVE-2006-2507

Multiple PHP remote file inclusion vulnerabilities in Teake Nutma Foing 0.2.0 through 0.7.0, as used with phpBB, allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path…

CVSS: 7.5 CWE: N/A View on NVD
2006-05-15
Medium

CVE-2006-2359

Cross-site scripting (XSS) vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this issue might be resul…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-2360

SQL injection vulnerability in charts.php in the Chart mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-2361

PHP remote file inclusion vulnerability in pafiledb_constants.php in Download Manager (mxBB pafiledb) integration, as used with phpBB, allows remote attackers to execute arbitrary PHP code via a URL…

CVSS: 7.5 CWE: N/A View on NVD
2006-05-10
High

CVE-2006-2283

Multiple PHP remote file inclusion vulnerabilities in SpiffyJr phpRaid 2.9.5 through 3.0.b3 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) auth…

CVSS: 7.5 CWE: N/A View on NVD
2006-05-09
Medium

CVE-2006-2245

PHP remote file inclusion vulnerability in auction\auction_common.php in Auction mod 1.3m for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2006-05-03
Medium

CVE-2006-2150

PHP remote file inclusion vulnerability in top/list.php in phpBB TopList 1.3.8 and earlier allows remote attackers to include arbitrary files via the returnpath parameter.

CVSS: 6.4 CWE: N/A View on NVD
High

CVE-2006-2151

PHP remote file inclusion vulnerability in toplist.php in phpBB TopList 1.3.8 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via the phpbb_root_path…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-2152

PHP remote file inclusion vulnerability in admin/addentry.php in phpBB Advanced Guestbook 2.4.0 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via t…

CVSS: 7.5 CWE: N/A View on NVD
2006-05-02
Medium

CVE-2006-2134

PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_r…

CVSS: 5.1 CWE: N/A View on NVD
2006-04-20
Medium

CVE-2006-1895

Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2006-1896

Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or sign…

CVSS: 6.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2006-04-13
Medium

CVE-2006-1775

Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Gr…

CVSS: 4.3 CWE: N/A View on NVD
2006-04-04
Medium

CVE-2006-1603

Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via the cur_password parameter. NOTE: the provenance of this in…

CVSS: 4.3 CWE: N/A View on NVD
2006-02-10
Medium

CVE-2006-0632

The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, wh…

CVSS: 6.4 CWE: N/A View on NVD
2006-02-06
Medium

CVE-2006-0437

Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smi…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0438

Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user…

CVSS: 5.0 CWE: N/A View on NVD
2006-02-01
Medium

CVE-2006-0499

Cross-site scripting (XSS) vulnerability in rlink.php in Rlink 1.0.0 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the url parameter. NOTE: the provenance of th…

CVSS: 4.3 CWE: N/A View on NVD
2006-01-27
Medium

CVE-2006-0450

phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way…

CVSS: 5.0 CWE: N/A View on NVD
2006-01-05
Medium

CVE-2006-0063

Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single q…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2005-12-28
High

CVE-2005-4528

SQL injection vulnerability in the Chatspot 2.0.0a7 module for phpBB allows remote attackers to execute arbitrary SQL commands via unknown vectors.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-4529

The Chatspot 2.0.0a7 module for phpBB might allow remote attackers to impersonate other users via unknown vectors.

CVSS: 7.5 CWE: N/A View on NVD
2005-12-22
High

CVE-2005-3536

SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-3537

A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs.

CVSS: 5.0 CWE: N/A View on NVD
2005-12-20
Low

CVE-2005-4357

Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) character…

CVSS: 2.6 CWE: N/A View on NVD
Medium

CVE-2005-4358

admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid functio…

CVSS: 5.0 CWE: N/A View on NVD
2005-12-19
Medium

CVE-2005-4346

Invalid SQL syntax error in blog.php in phpBB Blog 2.2.2 and earlier allows remote attackers to obtain the full path of the application via an invalid permalink parameter to index.php, which produces…

CVSS: 5.0 CWE: N/A View on NVD
2005-12-08
Medium

CVE-2005-4083

Directory traversal vulnerability in xs_edit.php in the eXtreme Styles phpBB module 2.2.1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the edit parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-4084

xs_edit.php in the phpBB eXtreme Styles module 2.2.1 and earlier allows remote attackers to obtain the installation path of the application via an invalid viewbackup parameter.

CVSS: 5.0 CWE: N/A View on NVD
2005-11-24
Medium

CVE-2005-3799

phpBB 2.0.18 allows remote attackers to obtain sensitive information via a large SQL query, which generates an error message that reveals SQL syntax or the full installation path.

CVSS: 5.0 CWE: N/A View on NVD
2005-11-01
High

CVE-2005-3415

phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the sa…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-3416

phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_S…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-3417

phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associ…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-3418

Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-3419

SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly initialized.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-3420

usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier int…

CVSS: 7.5 CWE: N/A View on NVD
2005-10-26
Low

CVE-2005-3310

Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG…

CVSS: 3.5 CWE: N/A View on NVD
2005-07-06
Medium

CVE-2005-2161

Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url] tags.

CVSS: 4.3 CWE: N/A View on NVD
2005-07-05
High

CVE-2005-2086

PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.

CVSS: 7.5 CWE: N/A View on NVD
2005-05-16
High

CVE-2005-1193

The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary scri…

CVSS: 7.5 CWE: N/A View on NVD
2005-05-03
High

CVE-2005-1378

SQL injection vulnerability in posting_notes.php in the notes module for phpBB allows remote attackers to execute arbitrary SQL commands via the p parameter, which is used in the $post_id variable, a…

CVSS: 7.5 CWE: N/A View on NVD
2005-05-02
High

CVE-2005-0614

sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a cookie.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-0659

phpBB 2.0.13 and earlier allows remote attackers to obtain sensitive information via a direct request to oracle.php, which reveals the path in a PHP error message.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-0673

Cross-site scripting (XSS) vulnerability in usercp_register.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the (1) allowhtml, (2) allowbbcode, or (3) a…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-0862

Multiple PHP remote file inclusion vulnerabilities in PHPOpenChat 3.0.1 and earlier allow remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter to (1) poc_loginform.php or…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-0871

calendar_scheduler.php in Topic Calendar 1.0.1 module for phpBB, when running on a Microsoft IIS server, allows remote attackers to obtain sensitive information via invalid parameters, which reveal t…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-0872

Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter.

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-1026

Multiple SQL injection vulnerabilities in SnailSource phpBB 2.0.x mods allow remote attackers to execute arbitrary SQL commands via the (1) file_id parameter to dlman.php in DLMan Pro or (2) id param…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-1113

Multiple cross-site scripting (XSS) vulnerabilities in PhpBB Plus 1.52 and earlier allow remote attackers to inject arbitrary web script or HTML via the bsid parameter to (1) groupcp.php, (2) index.p…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-1114

Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbitrary SQL commands via the (1) mode or (2) search parameters.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-1115

Multiple cross-site scripting (XSS) vulnerabilities in Photo Album 2.0.53 module for phpBB allow remote attackers to inject arbitrary web script or HTML via the bsid parameter to (1) album_cat.php or…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-1116

Cross-site scripting (XSS) vulnerability in the Calendar module for phpBB allow remote attackers to inject arbitrary web script or HTML via the start parameter to calendar_scheduler.php.

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-1170

SQL injection vulnerability in mod.php in the datenbank module for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-1171

Cross-site scripting (XSS) vulnerability in mod.php in the datenbank module for phpBB allows remote attackers to inject arbitrary web script or HTML via the id parameter.

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-1196

SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive information and execute SQL commands via the cat parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-1234

Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via the (1) u parameter to auction_rating.php or (2) ar parameter to action_offer.php.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1235

auction_my_auctions.php in phpbb-Auction 1.2m and earlier allows remote attackers to obtain sensitive information via an invalid mode parameter, which leaks the full path in a PHP error message.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1290

Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) u parameter to profile.php, (2) highlight par…

CVSS: 4.3 CWE: N/A View on NVD
2005-04-07
High

CVE-2005-1047

Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files that can be uploaded, which allows remote authenticated users to execute arbitrary commands by upload…

CVSS: 7.5 CWE: N/A View on NVD
2005-03-14
Medium

CVE-2005-0258

Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-0259

phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, th…

CVSS: 6.4 CWE: N/A View on NVD
2005-02-28
Medium

CVE-2005-0603

viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a P…

CVSS: 5.0 CWE: N/A View on NVD
2004-12-31
Medium

CVE-2004-1399

Directory traversal vulnerability in the Attachment module 2.3.10 and earlier for phpBB allows remote attackers to read arbitrary files via a .. (dot dot) in the filename.

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2004-1404

Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime, does not properly handle files with multiple file extensions, such as .php.rar, which allows remote attackers to upload and exe…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2004-1535

PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to referen…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2004-1809

Cross-site scripting (XSS) vulnerability in phpBB 2.0.6d and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) postdays parameter to viewtopic.php or (2) topicdays pa…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2004-2054

CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via (1) the mode parameter to…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2004-2350

SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 allows remote attackers to execute arbitrary SQL and gain privileges via the search_results parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2004-2358

Cross-site scripting (XSS) vulnerability in admin_words.php for phpBB 2.0.6c allows remote attackers to inject arbitrary web script or HTML via the id parameter.

CVSS: 4.3 CWE: N/A View on NVD
2004-12-23
Medium

CVE-2004-2130

Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.

CVSS: 4.3 CWE: N/A View on NVD
2004-11-23
Medium

CVE-2004-0339

Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter.

CVSS: 6.8 CWE: N/A View on NVD
2004-11-12
High

CVE-2004-1315

viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by…

CVSS: 7.5 CWE: N/A View on NVD
2004-07-27
Medium

CVE-2004-0729

PhpBB 2.0.8 allows remote attackers to gain sensitive information via an invalid (1) category_rows parameter to index.php, (2) faq parameter to faq.php, or (3) ranksrow parameter to profile.php, whic…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2004-0730

Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parame…

CVSS: 6.8 CWE: N/A View on NVD
2004-07-19
Medium

CVE-2004-2055

Cross-site scripting (XSS) vulnerability in search.php for PhpBB 2.0.4 and 2.0.9 allows remote attackers to inject arbitrary HTMl or web script via the search_author parameter.

CVSS: 4.3 CWE: N/A View on NVD
2004-04-19
High

CVE-2004-1943

PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2004-1950

phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to spoof IP addresses.

CVSS: 5.0 CWE: N/A View on NVD
2003-12-31
High

CVE-2003-1244

SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id par…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2003-1373

Directory traversal vulnerability in auth.php for PhpBB 1.4.0 through 1.4.4 allows remote attackers to read and include arbitrary files via .. (dot dot) sequences followed by NULL (%00) characters in…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2003-1530

SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the mark[] parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2003-12-29
Medium

CVE-2003-1215

SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier allows group moderators to perform unauthorized activities via the sql_in parameter.

CVSS: 4.6 CWE: N/A View on NVD
2003-11-27
High

CVE-2003-1216

SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter.

CVSS: 7.5 CWE: N/A View on NVD
2003-08-07
Medium

CVE-2003-0484

Cross-site scripting (XSS) vulnerability in viewtopic.php for phpBB allows remote attackers to insert arbitrary web script via the topic_id parameter.

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2003-0486

SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter.

CVSS: 5.0 CWE: N/A View on NVD