phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.Referenceshttps://blog.phpbb.com/category/security/https://www.phpbb.com/community/viewtopic.php?f=14&t=2534536
