CVE-2019-25685

Description

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when deserialized through the imagick parameter in attachment settings.

References

• https://www.exploit-db.com/exploits/46512
• https://www.vulncheck.com/advisories/phpbb-arbitrary-file-upload-via-phar-deserialization