Miggo Logo
Miggo Vulnerability Database
CVE-2019-16107

CVE-2019-16107: phpBB Cross-Site Request Forgery (CSRF)

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-16107
GHSA ID
GHSA-wg24-9xm9-593v
EPSS Score
0.26432%
CWE
CWE-352
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpbb/phpbbcomposer= 3.2.73.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing form token validation in attachment deletion workflows. phpBB 3.2.8's release notes explicitly mention adding CSRF protection to previously unprotected forms. The helper functions handling attachment management in 3.2.7 would lack the check_form_key() validation that was later added in 3.2.8. The controller helper and attachment deletion classes are core components responsible for processing attachment operations, making them the most likely candidates for the missing validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *orm tok*n v*li**tion in p*p** *.*.* *llows *SR* in **l*tin* post *tt***m*nts.

Reasoning

T** vuln*r**ility st*ms *rom missin* *orm tok*n v*li**tion in *tt***m*nt **l*tion work*lows. p*p** *.*.*'s r*l**s* not*s *xpli*itly m*ntion ***in* *SR* prot**tion to pr*viously unprot**t** *orms. T** **lp*r *un*tions **n*lin* *tt***m*nt m*n***m*nt in