Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.
AnalysisAI
Cross-site request forgery in phpBB 3.3.15 allows unauthenticated remote attackers to execute arbitrary code through the Admin Control Panel icon management functionality via a malicious link or webpage that tricks an authenticated administrator into performing unwanted actions. The attack requires user interaction (UI:R) and targets only integrity (CVSS score 4.3), though the CVE tags reference RCE, suggesting potential for elevated impact under specific conditions. No public exploit code has been independently confirmed at the time of this analysis.
Technical ContextAI
This vulnerability exploits a cross-site request forgery (CWE-352) weakness in phpBB's Admin Control Panel, specifically in the icon management feature. CSRF attacks bypass the same-origin policy by inducing an authenticated user (typically an administrator) to submit a forged request to a vulnerable endpoint. The icon management functionality likely processes file uploads or configuration changes without adequate CSRF token validation. An attacker crafts a malicious HTML page or link that, when visited by an authenticated admin, automatically submits a request to the vulnerable endpoint. The attack vector is network-based with low complexity (AC:L), meaning no special network conditions or techniques are required beyond standard HTTP requests. The phpBB product (CPE data shows n/a placeholder) version 3.3.15 is the confirmed affected release.
RemediationAI
Upgrade phpBB to version 3.3.16 or later, which includes CSRF token validation fixes for the Admin Control Panel icon management feature. The advisory is available at https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822. As an interim workaround pending patching, administrators should avoid clicking untrusted links or visiting untrusted websites while authenticated to the phpBB Admin Control Panel; consider using separate browser profiles or incognito sessions for administrative tasks, or implement network-based restrictions (IP whitelisting, VPN) to limit Admin Panel access. Verify CSRF token validation is enabled in your phpBB installation configuration. If you cannot upgrade immediately, review the GitHub security advisory for additional mitigation guidance.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209385