CVE-2015-1432

NameCVE-2015-1432
DescriptionThe message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs776699

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpbb3 (PTS)jessie, jessie (lts)3.0.12-5+deb8u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpbb3sourcewheezy3.0.10-4+deb7u2
phpbb3source(unstable)3.0.12-4low776699

Notes

[squeeze] - phpbb3 <no-dsa> (Minor issue)
https://tracker.phpbb.com/browse/PHPBB3-13526

Search for package or bug name: Reporting problems