CVE-2006-2219

high

Description

phpBB 2.0.20 does not verify user-specified input variable types before being passed to type-dependent functions, which allows remote attackers to obtain sensitive information, as demonstrated by the (1) mode parameter to memberlist.php and the (2) highlight parameter to viewtopic.php that are used as an argument to the htmlspecialchars or urlencode functions, which displays the installation path in the resulting error message.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/26306

http://securityreason.com/securityalert/837

http://marc.info/?l=full-disclosure&m=114685931319903&w=2

http://marc.info/?l=bugtraq&m=114731067321710&w=2

http://marc.info/?l=bugtraq&m=114695651425026&w=2

Details

Source: Mitre, NVD

Published: 2007-02-08

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00675