Hackzatan

**Name of the Vulnerable Software and Affected Versions** phpBB versions 2.0.19 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash. This can be achieved by either registering a large number of users through the "profile.php" endpoint or by using the "search.php" endpoint in a specific way that confuses the database. **Recommendations** For phpBB versions 2.0.19 and earlier, consider restricting access to the "profile.php" and "search.php" endpoints until a fix is available. As a temporary workaround, limit the number of user registrations and implement rate limiting on search queries to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: phpBB versions 2.0.14 and earlier Description: The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This can be achieved via the `u` parameter to "profile.php", the `highlight` parameter to "viewtopic.php", or the `forumname` or `forumdesc` parameters to "admin forums.php". Recommendations: For phpBB versions 2.0.14 and earlier, update to a version later than 2.0.14 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpBB versions 2.0.13 and earlier **Description** The issue allows remote attackers to obtain sensitive information via a direct request to "oracle.php", which reveals the path in a PHP error message. **Recommendations** For phpBB versions 2.0.13 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB versions 2.0.12 and earlier **Description** The issue allows remote attackers to obtain sensitive information via a `highlight` parameter containing invalid regular expression syntax in the "viewtopic.php" API endpoint. This reveals the path in a PHP error message. **Recommendations** For phpBB versions 2.0.12 and earlier, update to a version later than 2.0.12 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpWebSite versions 0.10.0 and earlier **Description** The issue allows remote attackers to obtain sensitive information via an invalid `SEA search module` parameter, which reveals the path in a PHP error message. **Recommendations** For phpWebSite versions 0.10.0 and earlier, consider restricting access to the `index.php` file until a patch is available. As a temporary workaround, avoid using the `SEA search module` parameter in the affected API endpoint until the issue is resolved.