Vulnerability Details : CVE-2015-1432
The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2015-1432
- cpe:2.3:a:phpbb:phpbb:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1432
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1432
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2015-1432
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1432
-
https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
[ticket/13526] Correctly validate the ucp_pm_options form key. · phpbb/phpbb@23069a1 · GitHub
-
https://tracker.phpbb.com/browse/PHPBB3-13526
[PHPBB3-13526] Correctly validate ucp_pm_options form key - phpBB Tracker
-
https://wiki.phpbb.com/Release_Highlights/3.0.13
Release Highlights/3.0.13 - phpBB Development Wiki
-
http://www.securityfocus.com/bid/72399
phpBB CVE-2015-1432 Cross Site Request Forgery Vulnerability
-
https://github.com/phpbb/phpbb/pull/3311
[ticket/13526] Correctly validate the ucp_pm_options form key. by bantu · Pull Request #3311 · phpbb/phpbb · GitHub
-
https://security.gentoo.org/glsa/201701-25
phpBB: Multiple vulnerabilities (GLSA 201701-25) — Gentoo security
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/100671
phpBB ucp_pm_options form key cross-site request forgery CVE-2015-1432 Vulnerability Report
-
http://seclists.org/oss-sec/2015/q1/373
oss-sec: Re: CVE request: phpbb3 CSRF and CSS injection
Jump to