CVE-2018-19274

NameCVE-2018-19274
DescriptionPassing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1593-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpbb3 (PTS)jessie, jessie (lts)3.0.12-5+deb8u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpbb3sourcewheezy(unfixed)end-of-life
phpbb3sourcejessie3.0.12-5+deb8u2DLA-1593-1
phpbb3source(unstable)(unfixed)

Notes

https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
https://github.com/phpbb/phpbb/commit/0dfbb60bc322ccda7a6e670a5f5ec9ab2f536eac

Search for package or bug name: Reporting problems