CVE-2018-19274

NameCVE-2018-19274
DescriptionPassing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1593-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpbb3sourcejessie3.0.12-5+deb8u2DLA-1593-1
phpbb3source(unstable)(unfixed)

Notes

https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
https://github.com/phpbb/phpbb/commit/0dfbb60bc322ccda7a6e670a5f5ec9ab2f536eac
Search for package or bug name: Reporting problems