本頁列出影響 phpbb_group phpbb 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2006-0438 | Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php. | [email protected] | 5.0 | 2.48% | 2006-02-06 | 2026-04-16 |
| CVE-2006-0437 | Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">" characters. | [email protected] | 4.3 | 2.24% | 2006-02-06 | 2026-04-16 |
| CVE-2006-0450 | phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database. | [email protected] | 5.0 | 4.97% | 2006-01-27 | 2026-04-16 |
| CVE-2006-0063 | Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357. | [email protected] | 4.3 | 1.25% | 2006-01-05 | 2026-04-16 |
| CVE-2005-3537 | A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs. | [email protected] | 5.0 | 1.42% | 2005-12-22 | 2026-04-16 |
| CVE-2005-3536 | SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote attackers to execute arbitrary SQL commands via the topic type. | [email protected] | 7.5 | 1.27% | 2005-12-22 | 2026-04-16 |
| CVE-2005-4358 | admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid function call that leaks the path in an error message. | [email protected] | 5.0 | 2.08% | 2005-12-20 | 2026-04-16 |
| CVE-2005-4357 | Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary Javascript via a permitted HTML tag with " (quote) characters and active attributes such as onmouseover. | [email protected] | 2.6 | 1.86% | 2005-12-20 | 2026-04-16 |
| CVE-2005-3799 | phpBB 2.0.18 allows remote attackers to obtain sensitive information via a large SQL query, which generates an error message that reveals SQL syntax or the full installation path. | [email protected] | 5.0 | 1.57% | 2005-11-24 | 2026-04-16 |
| CVE-2005-3420 | usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier into a preg_replace statement. | [email protected] | 7.5 | 2.37% | 2005-11-01 | 2026-04-16 |
| CVE-2005-3419 | SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly initialized. | [email protected] | 7.5 | 1.85% | 2005-11-01 | 2026-04-16 |
| CVE-2005-3418 | Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to usercp_register.php, (2) forward_page parameter to login.php, and (3) list_cat parameter to search.php, which are not initialized as variables. | [email protected] | 4.3 | 1.84% | 2005-11-01 | 2026-04-16 |
| CVE-2005-3417 | phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_* variables. | [email protected] | 7.5 | 2.31% | 2005-11-01 | 2026-04-16 |
| CVE-2005-3416 | phpBB 2.0.17 and earlier, when register_globals is enabled and the session_start function has not been called to handle a session, allows remote attackers to bypass security checks by setting the $_SESSION and $HTTP_SESSION_VARS variables to strings instead of arrays, which causes an array_merge function call to fail. | [email protected] | 7.5 | 2.31% | 2005-11-01 | 2026-04-16 |
| CVE-2005-3415 | phpBB 2.0.17 and earlier allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GET/POST/COOKIE (GPC) variable and a GLOBALS[] variable with the same name, which causes phpBB to unset the GLOBALS[] variable but not the GPC variable. | [email protected] | 7.5 | 2.37% | 2005-11-01 | 2026-04-16 |
| CVE-2005-3310 | Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer, which renders malformed image types as HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer (CVE-2005 | [email protected] | 3.5 | 1.17% | 2005-10-26 | 2026-04-16 |
| CVE-2005-2161 | Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url] tags. | [email protected] | 4.3 | 1.23% | 2005-07-06 | 2026-04-16 |
| CVE-2005-2086 | PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code. | [email protected] | 7.5 | 85.37% | 2005-07-05 | 2026-04-16 |
| CVE-2005-1193 | The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4) activex:, (5) chrome:, or (6) script: URI scheme, as demonstrated using the URL tag. | [email protected] | 7.5 | 16.36% | 2005-05-16 | 2026-04-16 |
| CVE-2005-1290 | Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) u parameter to profile.php, (2) highlight parameter to viewtopic.php, or (3) forumname or forumdesc parameters to admin_forums.php. | [email protected] | 4.3 | 1.04% | 2005-05-02 | 2026-04-16 |