Open redirect in phpBB
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-3880 |
| CWE-ID | CWE-601 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
phpBB Web applications / Forum & blogging software |
| Vendor | phpBB Group |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Open redirect
EUVDB-ID: #VU38234
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-3880
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsphpBB: 3.1.0 - 3.1.4
External linkshttp://www.openwall.com/lists/oss-security/2015/05/12/10
http://www.securityfocus.com/bid/74592
http://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04
http://wiki.phpbb.com/Release_Highlights/3.0.14
http://wiki.phpbb.com/Release_Highlights/3.1.4
http://www.phpbb.com/community/viewtopic.php?f=14&t=2313941
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
