Skip to main content

Phpbb CVE-2020-5501

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2020-01-15 cve@mitre.org
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 15, 2020 - 00:15 nvd
MEDIUM 4.3

DescriptionNVD

phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.

AnalysisAI

phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. Affected products include: Phpbb.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Phpbb

View all
CVE-2026-48611 CRITICAL POC
9.8 Jun 12

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting defa

CVE-2018-19274 HIGH POC
7.2 Nov 17

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Inject

CVE-2019-13376 MEDIUM POC
6.5 Sep 27

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote A

CVE-2019-16993 HIGH
8.8 Sep 30

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in

CVE-2026-29199 HIGH
8.1 May 04

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_var

CVE-2026-48612 HIGH
8.0 Jun 12

Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to

CVE-2019-9826 HIGH
7.5 May 02

The fulltext search component in phpBB before 3.2.6 allows Denial of Service. Rated high severity (CVSS 7.5), this vulne

CVE-2026-47366 HIGH
7.2 Jun 12

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions

CVE-2015-1432 MEDIUM
6.8 Feb 10

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the fo

CVE-2020-5502 MEDIUM
6.5 Jan 15

phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships. Rated medium severity (CVSS 6.5), this vuln

CVE-2015-3880 MEDIUM
6.1 Sep 19

Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of G

CVE-2023-5917 MEDIUM
6.1 Nov 02

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10.php of the component Smiley P

Share

CVE-2020-5501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy