VDB
CVE-2018-19274
CVE-2018-19274
PUBLISHED
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
EPSS 13.85% · 94.4th percentile
Risk Scores
EPSS Score
13.85%
94.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:14.04:LTS | phpbb3 | 0, 3.0.11-5, 3.0.12-1 |
| Ubuntu:16.04:LTS | phpbb3 | 3.0.14-1, 3.0.14-1ubuntu1, 0 |
Exploit Intelligence
Timeline
- Nov 17, 2018 CVE Published
- Oct 3, 2019 CVE Updated
- Apr 14, 2021 EPSS Score
- Mar 7, 2023 EPSS Score
- Jul 8, 2023 EPSS Score
- Apr 9, 2024 EPSS Score
- Jul 6, 2024 EPSS Score
- Sep 26, 2024 EPSS Score
- Jan 12, 2025 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Apr 6, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-19274 third-party-advisory
- https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-19274 third-party-advisory