CVE-2018-19274

Sažetak

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

Reference

https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution/
https://lists.debian.org/debian-lts-announce/2018/11/msg00029.html

CVSS

Base:	6.5
Impact:	6.4
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

02-12-2022 - 19:21

Objavljeno

17-11-2018 - 13:29