Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-1432

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2015-1432
Last Modified 11 Feb 2015 02:41:22
Published 10 Feb 2015 12:59:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2015-1432

Summary

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.

Vulnerable Systems

Application

  • Phpbb 3.0.12


References

CONFIRM - https://wiki.phpbb.com/Release_Highlights/3.0.13

CONFIRM - https://tracker.phpbb.com/browse/PHPBB3-13526

CONFIRM - https://github.com/phpbb/phpbb/pull/3311

CONFIRM - https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449

XF - phpbb3-cve20151432-csrf(100671)

BID - 72399

MLIST - [oss-security] 20150131 Re: CVE request: phpbb3 CSRF and CSS injection


Last Updated: 27 May 2016 11:07:46