CVE-2019-13376

NameCVE-2019-13376
DescriptionphpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1942-1, DLA-1942-2
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpbb3 (PTS)jessie3.0.12-5+deb8u1vulnerable
jessie (security)3.0.12-5+deb8u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpbb3source(unstable)(unfixed)
phpbb3sourcejessie3.0.12-5+deb8u4DLA-1942-2

Notes

https://ssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss
fixed in 3.2.8 as 'SECURITY-246'
https://github.com/phpbb/phpbb/commit/cdf4f5ef85f05c0f94eae1a9edb1c28d4ac3515f
follow-up to incomplete fix for CVE-2019-16993

Search for package or bug name: Reporting problems