phpBB: Multiple vulnerabilities — GLSA 201701-25

Multiple vulnerabilities have been found in phpBB, the worst of which may allow remote attackers to inject arbitrary web script or HTML.

Affected Packages

www-apps/phpBB on all architectures
Affected versions < 3.1.10
Unaffected versions

Background

phpBB is an Open Source bulletin board package.

Description

Multiple vulnerabilities have been discovered in phpBB. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker may be able to change settings, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks.

Workaround

There is no known workaround at this time.

Resolution

Gentoo Security support has been discontinued due to phpBB being dropped to unstable. As such, we recommend that users unmerge phpBB:

 # emerge --unmerge "www-apps/phpBB"
 

NOTE: Users could alternatively upgrade to “>=www-apps/phpBB-3.1.10”, however, these packages are not currently marked stable.

References

Release Date
January 11, 2017

Latest Revision
January 11, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries