CSRF Token Hijacking and Stored XSS in phpBB 3.2.7 Remote Avatar Feature

CSRF Token Hijacking and Stored XSS in phpBB 3.2.7 Remote Avatar Feature

CVE-2019-13376 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

Learn more about our Web Application Penetration Testing UK.