ASA-2018-00052 – phpBB: Authenticated remote code execution via Phar deserialization

Passing an absolute path to a file_exists() check in phpBB before 3.2.4 allows authenticated remote code execution through object injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.