CVE-2018-19274: Deserialization of Untrusted Data

November 17, 2018 (updated October 3, 2019)

Passing an absolute path to a file_exists check in phpBB allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

References

nvd.nist.gov/vuln/detail/CVE-2018-19274
www.phpbb.com/community/viewtopic.php?f=14&t=2492206

Detect and mitigate CVE-2018-19274 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →