Directory traversal vulnerability in the Attachment module 2.3.10 and earlier for phpBB allows remote attackers to read arbitrary files via a .. (dot dot) in the filename.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opentools | attachment_mod | 2.3.5 |
| opentools | attachment_mod | 2.3.10 |
| opentools | attachment_mod | 2.3.6 |
| opentools | attachment_mod | 2.3.8 |
| opentools | attachment_mod | 2.3.4 |
| opentools | attachment_mod | 2.3.7 |
| opentools | attachment_mod | 2.3.9 |
Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime, does not properly handle files with multiple file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opentools | attachment_mod | 2.3.5 |
| opentools | attachment_mod | 2.3.10 |
| opentools | attachment_mod | 2.3.6 |
| opentools | attachment_mod | 2.3.8 |
| opentools | attachment_mod | 2.3.4 |
| opentools | attachment_mod | 2.3.7 |
| opentools | attachment_mod | 2.3.9 |
Unknown vulnerability in Attachment Mod before 2.3.13, related to a "serious issue with realnames," has unknown impact and attack vectors.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opentools | attachment_mod | 2.3.5 |
| opentools | attachment_mod | 2.3.11 |
| opentools | attachment_mod | 2.3.10 |
| opentools | attachment_mod | 2.3.6 |
| opentools | attachment_mod | 2.3.8 |
| opentools | attachment_mod | 2.3.12 |
| opentools | attachment_mod | 2.3.4 |
| opentools | attachment_mod | 2.3.7 |
| opentools | attachment_mod | 2.3.9 |