CVE-2019-16993

EUVD-2022-5363
In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
Affected Products (NVD)
VendorProductVersion
phpbbphpbb
𝑥
≤ 3.1.7
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
phpbb3
bionic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
Fixed 3.0.12-1ubuntu0.1~esm1
released
xenial
needed
Common Weakness Enumeration
References
https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789
https://lists.debian.org/debian-lts-announce/2019/09/msg00036.html
https://lists.debian.org/debian-lts-announce/2019/10/msg00006.html
https://www.phpbb.com/community/viewtopic.php?t=2352606
https://www.phpbb.com/support/documents.php?mode=changelog&version=3#v317
https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789
https://lists.debian.org/debian-lts-announce/2019/09/msg00036.html
https://lists.debian.org/debian-lts-announce/2019/10/msg00006.html
https://www.phpbb.com/community/viewtopic.php?t=2352606
https://www.phpbb.com/support/documents.php?mode=changelog&version=3#v317