CVE-2019-25685

CVE-2019-25685 is an arbitrary file upload vulnerability in phpBB, exploitable through the plupload functionality combined with the phar:// stream wrapper. Attackers can upload a crafted ZIP file containing serialized PHP objects, which trigger arbitrary code execution upon deserialization via the imagick parameter in attachment settings. The vulnerability is associated with CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables uploading malicious files, leading to remote code execution on the server, with high impacts on confidentiality, integrity, and availability.

Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/phpbb-arbitrary-file-upload-via-phar-deserialization and a proof-of-concept exploit at https://www.exploit-db.com/exploits/46512, provide further technical details on the issue.

A public exploit is available, highlighting the risk of real-world exploitation in unpatched phpBB installations.