CVE-2002-0475 in phpBBinfo

Summary

by MITRE

Cross-site scripting vulnerability in phpBB 1.4.4 and earlier allows remote attackers to execute arbitrary Javascript on web clients by embedding the script within an IMG image tag while editing a message.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/16/2025

The vulnerability identified as CVE-2002-0475 represents a critical cross-site scripting flaw within the phpBB bulletin board system version 1.4.4 and earlier releases. This vulnerability stems from inadequate input validation and output sanitization mechanisms within the message editing functionality of the forum software. Attackers can exploit this weakness by crafting malicious content that includes javascript code embedded within an IMG image tag during message composition, thereby bypassing the intended security measures designed to prevent such malicious payloads from executing in user browsers.

The technical implementation of this vulnerability operates through the improper handling of user-supplied data within the phpBB message editing interface. When users create or modify posts containing specially crafted IMG tags with javascript code embedded in their attributes, the application fails to adequately sanitize or escape these inputs before rendering them in the browser context. This failure creates a persistent cross-site scripting vector where the malicious javascript code executes within the victim's browser session, potentially compromising user credentials, session cookies, or other sensitive information. The vulnerability specifically targets the IMG tag attribute handling mechanism, which is commonly used for image embedding but becomes a conduit for malicious script execution when not properly filtered.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform session hijacking, steal user authentication tokens, redirect victims to malicious websites, or even inject additional malicious content into the forum environment. This type of vulnerability directly violates the principles of secure web application development and represents a significant threat to user privacy and data integrity within the phpBB community. The vulnerability affects all users who view the maliciously crafted posts, creating a widespread impact that can compromise multiple user sessions and potentially lead to unauthorized administrative access if the targeted users hold elevated privileges within the forum.

Mitigation strategies for CVE-2002-0475 involve immediate patching of affected phpBB installations to versions that properly sanitize user inputs and implement comprehensive output encoding for all dynamic content. System administrators should implement strict input validation measures that prevent the inclusion of javascript code within IMG tag attributes and ensure that all user-generated content undergoes proper sanitization before being rendered to other users. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and follows patterns commonly seen in ATT&CK technique T1566 related to social engineering through malicious content delivery. Organizations should also implement Content Security Policy headers to provide additional defense-in-depth against such attacks, though the primary remediation must focus on patching the underlying application vulnerability to prevent the execution of malicious javascript code through improperly sanitized user inputs.

Disclosure

08/12/2002

Moderation

accepted

Entry

VDB-18531

CPE

ready

EPSS

0.01329

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!