Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916864 (CVE-2023-5917)

Summary: www-apps/phpBB: XSS vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: chewi, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.phpbb.com/community/viewtopic.php?t=2646991
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-04 19:22:28 UTC 
CVE-2023-5917:

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. The patch is named ccf6e6c255d38692d72fcb613b113e6eaa240aac. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-244307.

Patch: https://github.com/phpbb/phpbb/commit/ccf6e6c255d38692d72fcb613b113e6eaa240aac
https://github.com/phpbb/phpbb/releases/tag/release-3.3.11

Please bump to 3.3.11.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-04 22:35:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b013215b98e7e317a0221b1baa4bb7ad78b9dc2e

commit b013215b98e7e317a0221b1baa4bb7ad78b9dc2e
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2023-11-04 22:24:29 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2023-11-04 22:34:19 +0000

    www-apps/phpBB: Bump to 3.3.11, drop old 3.3.10-r1
    
    Bug: https://bugs.gentoo.org/916864
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 www-apps/phpBB/Manifest                                        | 2 +-
 www-apps/phpBB/{phpBB-3.3.10-r1.ebuild => phpBB-3.3.11.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Hans de Graaff gentoo-dev Security 2023-11-05 07:36:30 UTC 
Thanks for the quick action!