CERTA-2006-AVI-002
Vulnerability from certfr_avis

Une vulnérabilité dans phpBB permet à un utilisateur distant mal intentionné de réaliser une attaque de type Cross Site Scripting ou d'exécuter du code arbitraire à distance.

Description

L'outil phpBB est utilisé dans la mise en œuvre de forums sur l'Internet.

La vulnérabilité est due à une erreur lors de l'assainnissement de certains arguments. Elle peut être exploitée afin d'exécuter du code HTML ou Javascript sur le poste d'un internaute visitant un forum compromis.

Solution

Appliquer la mise à jour de sécurité phpBB en passant à la version 2.0.19 disponible à l'adresse suivante :

http://www.phpbb.com/downloads.php

phpBB 2.x.

Impacted products
Vendor Product Description
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003ephpBB 2.x.\u003c/P\u003e",
  "content": "## Description\n\nL\u0027outil phpBB est utilis\u00e9 dans la mise en \u0153uvre de forums sur\nl\u0027Internet.\n\nLa vuln\u00e9rabilit\u00e9 est due \u00e0 une erreur lors de l\u0027assainnissement de\ncertains arguments. Elle peut \u00eatre exploit\u00e9e afin d\u0027ex\u00e9cuter du code\nHTML ou Javascript sur le poste d\u0027un internaute visitant un forum\ncompromis.\n\n## Solution\n\nAppliquer la mise \u00e0 jour de s\u00e9curit\u00e9 phpBB en passant \u00e0 la version\n2.0.19 disponible \u00e0 l\u0027adresse suivante :\n\n    http://www.phpbb.com/downloads.php\n",
  "cves": [],
  "initial_release_date": "2006-01-02T00:00:00",
  "last_revision_date": "2006-01-02T00:00:00",
  "links": [
    {
      "title": "Site Internet de phpBB :",
      "url": "http://www.phpbbb.com"
    }
  ],
  "reference": "CERTA-2006-AVI-002",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2006-01-02T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de commande arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans phpBB permet \u00e0 un utilisateur distant mal\nintentionn\u00e9 de r\u00e9aliser une attaque de type Cross Site Scripting ou\nd\u0027ex\u00e9cuter du code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans phpBB",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Mise \u00e0 jour de s\u00e9curit\u00e9 phpBB 2.0.19",
      "url": "http://www.phpbb.com/downloads.php"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.