CVE-2015-1432

medium

Description

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.

References

https://wiki.phpbb.com/Release_Highlights/3.0.13

https://tracker.phpbb.com/browse/PHPBB3-13526

https://security.gentoo.org/glsa/201701-25

https://github.com/phpbb/phpbb/pull/3311

https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449

https://exchange.xforce.ibmcloud.com/vulnerabilities/100671

http://www.securityfocus.com/bid/72399

http://seclists.org/oss-sec/2015/q1/373

Details

Source: Mitre, NVD

Published: 2015-02-10

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N