CVE-2019-9826: phpBB Denial of Service
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.7057%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpbb/phpbb | composer | < 3.2.6 | 3.2.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper input validation in phpBB's Native Fulltext Search component. The advisory explicitly mentions unrestricted search queries causing CPU-intensive SQL operations. The functions split_keywords (keyword processing) and keyword_search (query construction) in the fulltext_native backend are central to this mechanism. The patch in 3.2.6 introduced restrictions on search terms, confirming these functions' role. The file path aligns with phpBB's code structure, and the CWE-20 classification directly points to input validation flaws in these query-building functions.