-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing CSRF protection in group membership approval handling. phpBB's security announcement explicitly mentions improper form token enforcement for pending group memberships. The group_controller::approve function in the UCP module is the logical endpoint for this action. Patched versions added CSRF token checks (check_form_key) to state-changing actions like group approvals, which would have been absent here. While exact code isn't available, phpBB's architecture patterns and vulnerability context strongly indicate this function as the vulnerable point.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| phpbb/phpbb | composer | <= 3.2.8 | 3.2.9 |