Search for packages
| purl | pkg:deb/debian/phpmyadmin@4:2.6.2-3sarge6 |
| Next non-vulnerable version | 4:5.2.2-really+dfsg-1+deb13u1 |
| Latest non-vulnerable version | 4:5.2.2-really+dfsg-1+deb13u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1aqb-7an7-mbed
Aliases: CVE-2013-4998 |
phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to pmd_common.php and other files. |
Affected by 115 other vulnerabilities. |
|
VCID-1ckz-f61g-bubu
Aliases: CVE-2007-1395 |
Incomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or HTML in a (1) db or (2) table parameter value followed by an uppercase </SCRIPT> end tag, which bypasses the protection against lowercase </script>. |
Affected by 190 other vulnerabilities. |
|
VCID-1drk-gzqj-2qc5
Aliases: CVE-2016-5099 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-1g6g-r599-8qes
Aliases: CVE-2006-6373 |
PhpMyAdmin 2.7.0-pl2 allows remote attackers to obtain sensitive information via a direct request for libraries/common.lib.php, which reveals the path in an error message. |
Affected by 208 other vulnerabilities. |
|
VCID-1hvw-4h4d-zkhv
Aliases: CVE-2016-2040 GHSA-pw34-qf6c-84fc |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin allow remote authenticated users to inject arbitrary web script or HTML. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-1pyg-w3ru-3ffx
Aliases: CVE-2007-1325 |
The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin before 2.10.0.2 does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions. NOTE: it could be argued that this vulnerability is caused by a problem in PHP (CVE-2006-1549) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpMyAdmin. |
Affected by 190 other vulnerabilities. |
|
VCID-219n-4qwz-zqg4
Aliases: CVE-2008-4326 |
The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence. |
Affected by 190 other vulnerabilities. |
|
VCID-222u-hen7-cbc2
Aliases: CVE-2011-3646 |
phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message. |
Affected by 145 other vulnerabilities. |
|
VCID-22fm-v29s-ukdg
Aliases: CVE-2006-6942 |
Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php. |
Affected by 208 other vulnerabilities. |
|
VCID-22za-twtc-akan
Aliases: CVE-2006-6943 |
PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php; and via the (1) lang[], (2) target[], (3) db[], (4) goto[], (5) table[], and (6) tbl_group[] array arguments to (c) index.php, and the (7) back[] argument to (d) sql.php; and an invalid (8) sort_by parameter to (e) server_databases.php and (9) db parameter to (f) db_printview.php. |
Affected by 208 other vulnerabilities. |
|
VCID-23dq-w66r-k3bt
Aliases: CVE-2017-1000015 GHSA-3fgq-cmr4-97rr |
Cross-site Scripting phpMyAdmin is vulnerable to a CSS injection attack through crafted cookie parameters. |
Affected by 24 other vulnerabilities. |
|
VCID-24f5-741f-rkgx
Aliases: CVE-2008-7252 GHSA-9645-6g72-2pv8 |
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors. |
Affected by 171 other vulnerabilities. |
|
VCID-27w6-zhxk-x7e7
Aliases: CVE-2016-2561 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-282b-1ugg-yuev
Aliases: CVE-2016-6621 GHSA-44vv-mm86-7cg6 |
phpMyAdmin server-side request forgery (SSRF) The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-2at1-y3qg-77fb
Aliases: CVE-2020-10803 GHSA-fcww-8wvc-38q9 |
Cross-site Scripting An SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in `tbl_get_field.php` and `libraries/classes/Display/Results.php`). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. |
Affected by 7 other vulnerabilities. |
|
VCID-2hse-tgk7-zban
Aliases: CVE-2005-3300 |
The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the _FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use grab_globals.php, then modifying certain configuration values for the theme. |
Affected by 208 other vulnerabilities. |
|
VCID-2k4p-dxku-97h1
Aliases: CVE-2009-3697 |
SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. |
Affected by 171 other vulnerabilities. |
|
VCID-2s34-4fkm-7yhs
Aliases: CVE-2006-5117 |
phpMyAdmin before 2.9.1-rc1 has a libraries directory under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via direct requests for certain files. |
Affected by 208 other vulnerabilities. |
|
VCID-2vqn-z4en-duh4
Aliases: CVE-2016-5730 GHSA-wm9c-vcv2-vpqc |
Information Exposure phpMyAdmin allows remote attackers to obtain sensitive information. |
Affected by 24 other vulnerabilities. |
|
VCID-2zsp-w2wa-eqe4
Aliases: CVE-2007-6100 |
Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authenticated with the cookie auth_type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992. |
Affected by 190 other vulnerabilities. |
|
VCID-31jg-3pzb-y3b6
Aliases: CVE-2016-9853 GHSA-rmmf-5xhh-gg27 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the fopen wrapper issue. |
Affected by 24 other vulnerabilities. |
|
VCID-32ja-yuuw-bbbh
Aliases: CVE-2020-10804 GHSA-h65r-8fp8-w7cx |
SQL Injection An SQL injection vulnerability was found in retrieval of the current username (in `libraries/classes/Server/Privileges.php` and `libraries/classes/UserPassword.php`). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). |
Affected by 7 other vulnerabilities. |
|
VCID-33kv-ye2c-ebax
Aliases: CVE-2016-5097 |
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. |
Affected by 24 other vulnerabilities. |
|
VCID-33mh-s92h-c7ht
Aliases: CVE-2016-5739 GHSA-2p7v-jm8m-g3qq |
phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-38tp-acy8-57hj
Aliases: CVE-2017-1000014 GHSA-9hrc-rwrq-v6mh |
Improper Input Validation phpMyAdmin is vulnerable to a DoS weakness in the table editing functionality. |
Affected by 24 other vulnerabilities. |
|
VCID-3trr-z4gq-pbdr
Aliases: CVE-2013-4999 |
phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. |
Affected by 115 other vulnerabilities. |
|
VCID-3va7-xx14-gkds
Aliases: CVE-2016-6613 GHSA-6j2v-g9rg-qcm5 |
Information Exposure An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. |
Affected by 24 other vulnerabilities. |
|
VCID-3y3t-vv23-h7bk
Aliases: CVE-2007-0095 |
phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message. |
Affected by 208 other vulnerabilities. |
|
VCID-44uc-xrvp-7bet
Aliases: CVE-2016-6624 GHSA-mhxj-6vf8-mwv3 |
Incomplete List of Disallowed Inputs An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. |
Affected by 24 other vulnerabilities. |
|
VCID-4avx-e9mf-2yb1
Aliases: CVE-2016-6618 GHSA-rv6m-chvv-wmxg |
Uncontrolled Resouce Consumption An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. |
Affected by 24 other vulnerabilities. |
|
VCID-4dtg-44bh-cbfz
Aliases: CVE-2006-1258 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter. |
Affected by 208 other vulnerabilities. |
|
VCID-4hpq-hacm-nqff
Aliases: CVE-2006-5718 |
Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2.6.4 through 2.9.0.2 allows remote attackers to inject arbitrary web script or HTML via UTF-7 or US-ASCII encoded characters, which are injected into an error message, as demonstrated by a request with a utf7 charset parameter accompanied by UTF-7 data. |
Affected by 208 other vulnerabilities. |
|
VCID-4kax-4bpz-g7c5
Aliases: CVE-2016-2041 GHSA-8m97-xc46-rw9w |
Covert Timing Channel `libraries/common.inc.php` in phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-4vgu-cagj-hfhb
Aliases: CVE-2016-6609 GHSA-wpww-hx7x-xfjh |
Command Injection An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. |
Affected by 24 other vulnerabilities. |
|
VCID-4wn2-pnbv-sked
Aliases: CVE-2018-19970 GHSA-8987-93fh-rcwq |
Cross-site Scripting In phpMyAdm, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted `database/table` name. |
Affected by 7 other vulnerabilities. |
|
VCID-52xs-45kd-w3hz
Aliases: CVE-2018-19968 GHSA-xc97-r49q-cxgc |
Information Exposure An attacker can exploit phpMyAdm to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. |
Affected by 7 other vulnerabilities. |
|
VCID-59mu-8aep-9ycn
Aliases: CVE-2025-24530 GHSA-222v-cx2c-q2f5 |
phpMyAdmin XSS when checking tables An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. |
Affected by 1 other vulnerability. |
|
VCID-5agv-hmbw-hfhe
Aliases: CVE-2007-5977 |
Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942. |
Affected by 190 other vulnerabilities. |
|
VCID-5bu8-wy7w-bqfc
Aliases: CVE-2016-6606 |
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-5jye-2stz-fqam
Aliases: CVE-2021-21252 GHSA-jxwx-85vp-gvwm |
Uncontrolled Resource Consumption The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that is vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3. |
Affected by 7 other vulnerabilities. |
|
VCID-5zcv-w67e-67dr
Aliases: CVE-2005-2869 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the Username to libraries/auth/cookie.auth.lib.php or (2) the error parameter to error.php. |
Affected by 208 other vulnerabilities. |
|
VCID-66fp-4jdj-xuba
Aliases: CVE-2008-3457 |
Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php. |
Affected by 190 other vulnerabilities. |
|
VCID-67va-epqd-vydp
Aliases: CVE-2011-3592 GHSA-5p69-rmx8-7gw7 |
Multiple cross-site scripting (XSS) vulnerabilities in the PMA_unInlineEditRow function in js/sql.js in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a (1) database name, (2) table name, or (3) column name that is not properly handled after an inline-editing operation. |
Affected by 145 other vulnerabilities. |
|
VCID-6gs5-cswx-bfeb
Aliases: CVE-2016-2042 |
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-6r4m-kxj7-ybb6
Aliases: CVE-2011-2506 GHSA-p6h7-29r2-g88f |
Improper Control of Generation of Code ('Code Injection') setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. |
Affected by 145 other vulnerabilities. |
|
VCID-73vh-drey-2fdm
Aliases: CVE-2005-3621 GHSA-wj42-52pv-wfj2 |
phpMyAdmin CRLF Injection Vulnerability CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows remote attackers to conduct HTTP response splitting attacks via unspecified scripts. |
Affected by 208 other vulnerabilities. |
|
VCID-7avk-rmwd-yugt
Aliases: CVE-2016-6620 |
An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-7m4m-5dm1-9uhn
Aliases: CVE-2005-3665 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation. |
Affected by 208 other vulnerabilities. |
|
VCID-7ntf-d3af-nbbk
Aliases: CVE-2014-8958 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. Affected by 113 other vulnerabilities. |
|
VCID-7pwj-c6c4-gbeq
Aliases: CVE-2012-4219 |
show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. |
Affected by 115 other vulnerabilities. |
|
VCID-7vpu-x9mb-q3c6
Aliases: CVE-2020-5504 GHSA-fgj8-93xx-f6g6 |
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. |
Affected by 7 other vulnerabilities. |
|
VCID-813p-z2vq-auh8
Aliases: CVE-2007-0341 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earlier, when Microsoft Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a CSS style in the convcharset parameter to the top-level URI, a different vulnerability than CVE-2005-0992. |
Affected by 208 other vulnerabilities. |
|
VCID-84n7-nzzg-juhz
Aliases: CVE-2016-5702 GHSA-xqw9-ffx7-g998 |
phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. |
Affected by 24 other vulnerabilities. |
|
VCID-858m-cbw6-cfc1
Aliases: CVE-2013-4995 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-8amg-r4d1-kubh
Aliases: CVE-2011-1940 GHSA-4q58-5x28-53wv |
phpMyAdmin Vulnerable to Cross-Site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject arbitrary web script or HTML via a crafted table name that triggers improper HTML rendering on a Tracking page, related to (1) libraries/tbl_links.inc.php and (2) tbl_tracking.php. |
Affected by 145 other vulnerabilities. |
|
VCID-8chr-uuma-syby
Aliases: CVE-2008-4096 |
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function. |
Affected by 190 other vulnerabilities. |
|
VCID-8euz-dr4k-y3br
Aliases: CVE-2009-1150 |
Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie. |
Affected by 171 other vulnerabilities. |
|
VCID-8jt7-y15v-83gj
Aliases: CVE-2016-6615 |
XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-8rvw-n1fg-ffc2
Aliases: CVE-2019-12616 GHSA-mfr9-pcm3-6mwc |
Cross-Site Request Forgery (CSRF) A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken `<img>` tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific `INSERT` or `DELETE` statement) to the victim. |
Affected by 7 other vulnerabilities. |
|
VCID-8syp-xj1q-a7dx
Aliases: CVE-2007-2245 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.10.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the fieldkey parameter to browse_foreigners.php or (2) certain input to the PMA_sanitize function. |
Affected by 190 other vulnerabilities. |
|
VCID-8yxm-e33n-d7gj
Aliases: CVE-2016-6619 |
An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-92xz-8fkp-ekh3
Aliases: CVE-2011-2508 GHSA-q6vw-39cg-wjjf |
phpMyAdmin Directory Traversal vulnerability Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter. |
Affected by 145 other vulnerabilities. |
|
VCID-94pm-84ku-w3cw
Aliases: CVE-2011-3591 GHSA-3p87-w3c5-27gf |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted row that triggers an improperly constructed confirmation message after inline-editing and save operations, related to (1) js/functions.js and (2) js/tbl_structure.js. |
Affected by 145 other vulnerabilities. |
|
VCID-9fse-nc5w-2fay
Aliases: CVE-2006-6944 |
phpMyAdmin before 2.9.1.1 allows remote attackers to bypass Allow/Deny access rules that use IP addresses via false headers. |
Affected by 208 other vulnerabilities. |
|
VCID-9nh7-ny6c-n3cd
Aliases: CVE-2016-6626 |
An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-9qsc-1gqr-g3gj
Aliases: CVE-2010-3055 |
The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. |
Affected by 171 other vulnerabilities. |
|
VCID-9tdu-572c-tbb2
Aliases: CVE-2016-5703 |
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. |
Affected by 24 other vulnerabilities. |
|
VCID-9y3y-59rh-ubfv
Aliases: CVE-2010-3263 |
Cross-site scripting (XSS) vulnerability in setup/frames/index.inc.php in the setup script in phpMyAdmin 3.x before 3.3.7 allows remote attackers to inject arbitrary web script or HTML via a server name. |
Affected by 171 other vulnerabilities. |
|
VCID-9z7g-cffj-1ufe
Aliases: CVE-2014-8960 |
Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
Affected by 115 other vulnerabilities. |
|
VCID-a4fa-ms27-93fn
Aliases: CVE-2014-5274 GHSA-q586-xpwr-jc3j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js. |
Affected by 115 other vulnerabilities. |
|
VCID-a94q-k98a-6qbw
Aliases: CVE-2014-7217 GHSA-wv8g-fx9j-q2jg |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php. |
Affected by 115 other vulnerabilities. |
|
VCID-abn5-z84m-zqas
Aliases: CVE-2011-2642 |
Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name. |
Affected by 145 other vulnerabilities. |
|
VCID-ajeh-4q9t-sydz
Aliases: CVE-2016-9850 |
An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-ajf6-bk2g-wkb7
Aliases: CVE-2019-6799 GHSA-c8wj-q36q-3wg4 |
Information Exposure When the `AllowArbitraryServer` configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the `mysql.allow_local_infile` PHP configuration, and the inadvertent ignoring of `options(MYSQLI_OPT_LOCAL_INFILE` calls. |
Affected by 7 other vulnerabilities. |
|
VCID-ajmz-kfxh-sqaf
Aliases: CVE-2013-4996 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted database name, (2) a crafted user name, (3) a crafted logo URL in the navigation panel, (4) a crafted entry in a certain proxy list, or (5) crafted content in a version.json file. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-amgy-teas-euh5
Aliases: CVE-2014-8326 GHSA-pvr5-84gr-g985 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server_status_monitor.js code for the server monitor page. |
Affected by 115 other vulnerabilities. |
|
VCID-b2nf-6pr3-xqaa
Aliases: CVE-2020-26935 GHSA-7ff4-cv53-4cjq |
SQL Injection An issue was discovered in SearchController in phpMyAdmin. An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
Affected by 7 other vulnerabilities. |
|
VCID-b4jk-yjfy-pfcv
Aliases: CVE-2016-2044 |
libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-b6ng-ygap-zqh4
Aliases: CVE-2016-2562 GHSA-w8qg-j9fp-hrjf |
Improper Input Validation The `checkHTTP` function in `libraries/Config.class.php` in phpMyAdmin does not verify X.509 certificates from `api.github.com` SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. |
Affected by 24 other vulnerabilities. |
|
VCID-bcgq-2961-43b9
Aliases: CVE-2011-2643 |
Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x before 3.4.3.2, when configuration storage is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a MIME-type transformation parameter. |
Affected by 145 other vulnerabilities. |
|
VCID-bd83-vf81-sfa4
Aliases: CVE-2019-6798 GHSA-f732-fxh6-g4qj |
SQL Injection An issue was discovered in phpMyAdmin. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-bddg-5zgr-3uew
Aliases: CVE-2016-5705 GHSA-6q2j-8h8q-46mr |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-bshf-rz9w-3yb3
Aliases: CVE-2013-5001 |
Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link. |
Affected by 115 other vulnerabilities. |
|
VCID-btc1-yng3-ckhx
Aliases: CVE-2017-1000018 GHSA-47qr-f86f-3wm4 |
Improper Input Validation phpMyAdmin is vulnerable to a DoS attack in the replication status by using a specially crafted table name. |
Affected by 24 other vulnerabilities. |
|
VCID-cbjd-e3sk-m7bu
Aliases: CVE-2016-9866 GHSA-jvxx-8xxf-5495 |
Cross-Site Request Forgery (CSRF) An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-crn9-f6qt-qfg5
Aliases: CVE-2016-2039 |
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-cth2-72mg-6yfr
Aliases: CVE-2015-8669 |
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-cyv1-muwx-83h8
Aliases: CVE-2009-3696 GHSA-5pvv-f8h3-gw96 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table. |
Affected by 171 other vulnerabilities. |
|
VCID-cz55-m46r-37gb
Aliases: CVE-2015-3902 |
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-d2qr-f9x6-uqed
Aliases: CVE-2008-5621 |
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other unspecified pages are also reachable, but they have the same root cause. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code. |
Affected by 190 other vulnerabilities. |
|
VCID-d7jk-a94y-n3ca
Aliases: CVE-2016-2038 |
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-dbk1-n9kh-dfhm
Aliases: CVE-2016-5704 GHSA-gcvp-cwgw-wx8j |
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. |
Affected by 24 other vulnerabilities. |
|
VCID-dfsz-1y13-yug9
Aliases: CVE-2016-9858 |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-dgvs-kqpd-gfcy
Aliases: CVE-2016-2045 |
Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response. |
Affected by 24 other vulnerabilities. |
|
VCID-dj5f-y77j-d7dx
Aliases: CVE-2016-9849 |
An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-dmu5-2jjk-rkcd
Aliases: CVE-2011-2507 |
libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array. |
Affected by 145 other vulnerabilities. |
|
VCID-dp72-nvcf-nyfd
Aliases: CVE-2013-3239 GHSA-gg36-9346-9qx9 |
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. |
Affected by 145 other vulnerabilities. |
|
VCID-dx3h-z4dg-m3e1
Aliases: CVE-2020-10802 GHSA-f4cr-3xmc-2wpm |
SQL Injection In phpMyAdmin, an SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in `libraries/classes/Controllers/Table/TableSearchController.php`. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. |
Affected by 7 other vulnerabilities. |
|
VCID-e18p-vjux-tbe5
Aliases: CVE-2008-3197 |
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the db parameter in the "Creating a Database" functionality (db_create.php), and (2) the convcharset and collation_connection parameters related to an unspecified program that modifies the connection character set. |
Affected by 190 other vulnerabilities. |
|
VCID-e677-1yaz-g3em
Aliases: CVE-2013-3742 |
Cross-site scripting (XSS) vulnerability in view_create.php (aka the Create View page) in phpMyAdmin 4.x before 4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via an invalid SQL CREATE VIEW statement with a crafted name that triggers an error message. |
Affected by 115 other vulnerabilities. |
|
VCID-efw4-vdcz-3yfn
Aliases: CVE-2011-2719 |
libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505. |
Affected by 145 other vulnerabilities. |
|
VCID-eqw3-es5t-5qan
Aliases: CVE-2011-0986 GHSA-wcmm-28rg-mg3r |
phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. |
Affected by 145 other vulnerabilities. |
|
VCID-f4vt-hr4k-byg1
Aliases: CVE-2006-1678 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.8.0.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors in unspecified scripts in the themes directory. |
Affected by 208 other vulnerabilities. |
|
VCID-fa4e-8zf1-b3e3
Aliases: CVE-2005-4349 |
SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450 |
Affected by 171 other vulnerabilities. |
|
VCID-fc5a-pvtd-wkcz
Aliases: CVE-2013-5000 |
phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to config.default.php and other files. |
Affected by 115 other vulnerabilities. |
|
VCID-fsub-2bfp-8qbw
Aliases: CVE-2014-8959 |
Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. |
Affected by 115 other vulnerabilities. |
|
VCID-g2uy-ekyf-4bcj
Aliases: CVE-2016-2043 |
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. |
Affected by 24 other vulnerabilities. |
|
VCID-g3fk-u3aq-dffu
Aliases: CVE-2011-3181 |
Multiple cross-site scripting (XSS) vulnerabilities in the Tracking feature in phpMyAdmin 3.3.x before 3.3.10.4 and 3.4.x before 3.4.4 allow remote attackers to inject arbitrary web script or HTML via a (1) table name, (2) column name, or (3) index name. |
Affected by 145 other vulnerabilities. |
|
VCID-ghxh-h4px-rbbk
Aliases: CVE-2007-5386 |
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string. |
Affected by 190 other vulnerabilities. |
|
VCID-gmjk-222y-abda
Aliases: CVE-2016-6625 GHSA-r643-7xfg-ppc5 |
Information Exposure An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user session, username, and password are not compromised by this vulnerability. |
Affected by 24 other vulnerabilities. |
|
VCID-gqxb-6rey-rbhv
Aliases: CVE-2016-5733 GHSA-cr65-p662-fx5c |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-gtps-py3z-13cu
Aliases: CVE-2016-6633 GHSA-p849-vf5f-f3x7 |
Code Injection An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations that are running with the dbase extension. |
Affected by 24 other vulnerabilities. |
|
VCID-gtzb-h7zg-1fgq
Aliases: CVE-2007-5976 |
SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to execute arbitrary SQL commands via the db parameter. |
Affected by 190 other vulnerabilities. |
|
VCID-gzwb-ju7m-juf7
Aliases: CVE-2016-6610 |
A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-har4-gaft-m7e8
Aliases: CVE-2025-24529 |
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. |
Affected by 1 other vulnerability. |
|
VCID-hbp6-s544-pqaw
Aliases: CVE-2016-6631 |
An issue was discovered in phpMyAdmin. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-hdwj-u6ne-s7ay
Aliases: CVE-2011-4064 |
Cross-site scripting (XSS) vulnerability in the setup interface in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary web script or HTML via a crafted value. |
Affected by 145 other vulnerabilities. |
|
VCID-hetz-y76u-6ucp
Aliases: CVE-2008-2960 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/. |
Affected by 190 other vulnerabilities. |
|
VCID-hw5n-kv9r-8yej
Aliases: CVE-2016-2560 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-hyn6-xxxq-57f4
Aliases: CVE-2014-5273 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php. |
Affected by 115 other vulnerabilities. |
|
VCID-j589-8hrn-9bae
Aliases: CVE-2017-1000016 GHSA-j2cq-h6v2-f875 |
Improper Input Validation A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. |
Affected by 24 other vulnerabilities. |
|
VCID-jabw-t2hb-q3e9
Aliases: CVE-2016-9848 |
An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jc7z-g7xt-u3cw
Aliases: CVE-2010-4481 GHSA-gmc7-jvv7-w245 |
phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. |
Affected by 171 other vulnerabilities. |
|
VCID-jemb-avnk-c7eb
Aliases: CVE-2016-6616 |
An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jmn8-a5r9-2qc8
Aliases: CVE-2016-6622 GHSA-qf3f-7x69-qfv3 |
Improper Input Validation An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. |
Affected by 24 other vulnerabilities. |
|
VCID-jvvf-kwtm-6qb7
Aliases: CVE-2014-9218 |
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. Affected by 113 other vulnerabilities. |
|
VCID-jwqb-guqs-v7dz
Aliases: CVE-2006-2418 |
Cross-site scripting (XSS) vulnerabilities in certain versions of phpMyAdmin before 2.8.0.4 allow remote attackers to inject arbitrary web script or HTML via the db parameter in unknown scripts. |
Affected by 208 other vulnerabilities. |
|
VCID-jxf7-1cq4-t3cv
Aliases: CVE-2016-5734 GHSA-rv57-479x-x4qv |
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. |
Affected by 24 other vulnerabilities. |
|
VCID-k3fp-nkvv-e3fa
Aliases: CVE-2014-4987 |
server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. |
Affected by 115 other vulnerabilities. |
|
VCID-k5ph-wws1-fqg4
Aliases: CVE-2016-5731 GHSA-mwm8-36c5-j5cf |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in `examples/openid.php` in phpMyAdmin allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-kfr7-v6tb-eqau
Aliases: CVE-2019-18622 GHSA-jgjc-332c-8cmc |
SQL Injection A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-kfrx-mmr7-euep
Aliases: CVE-2018-10188 GHSA-v6fp-h79x-9rqc |
Cross-Site Request Forgery (CSRF) phpMyAdm has CSRF, allowing an attacker to execute arbitrary SQL statements, related to `js/db_operations.js`, `js/tbl_operations.js`, `libraries/classes/Operations.php`, and `sql.php.` |
Affected by 7 other vulnerabilities. |
|
VCID-knqb-87ak-7qak
Aliases: CVE-2006-2417 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before 2.8.0.4 allows remote attackers to inject arbitrary web script or HTML via the theme parameter in unknown scripts. NOTE: the lang parameter is already covered by CVE-2006-2031. |
Affected by 208 other vulnerabilities. |
|
VCID-krmp-qvw1-n7b6
Aliases: CVE-2013-5003 |
Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to execute arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-kwtj-jk24-zffq
Aliases: CVE-2016-6611 |
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-kxq1-41am-gqdc
Aliases: CVE-2011-4634 GHSA-9j9h-cpgc-8356 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog. |
Affected by 145 other vulnerabilities. |
|
VCID-m2g6-2ztp-tuam
Aliases: CVE-2020-22452 GHSA-prcg-mc23-hgjh |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. |
Affected by 7 other vulnerabilities. |
|
VCID-m3kq-1cfg-mkgc
Aliases: CVE-2023-25727 GHSA-6hr3-44gx-g6wh |
Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-m54t-23nu-3kaa
Aliases: CVE-2014-4986 GHSA-jqmr-wqgp-8mh2 |
Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. |
Affected by 115 other vulnerabilities. |
|
VCID-m59w-cug5-wbe2
Aliases: CVE-2016-9862 |
An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-mctt-kqsq-97gt
Aliases: CVE-2011-1941 GHSA-v6fw-xf2c-8q43 |
Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x before 3.4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
Affected by 145 other vulnerabilities. |
|
VCID-me6n-9fzg-ayf5
Aliases: CVE-2012-1190 |
Cross-site scripting (XSS) vulnerability in the replication-setup functionality in js/replication.js in phpMyAdmin 3.4.x before 3.4.10.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted database name. |
Affected by 145 other vulnerabilities. |
|
VCID-mgu4-pf1x-r3dy
Aliases: CVE-2016-6608 GHSA-jfmj-27fp-qp67 |
Cross-site Scripting XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. |
Affected by 24 other vulnerabilities. |
|
VCID-mxn5-bh7q-gkdb
Aliases: CVE-2015-7873 GHSA-5pmg-qh2c-7j24 |
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-mzuh-5e5y-d3hr
Aliases: CVE-2019-19617 GHSA-pgph-mc4p-f8c3 |
Improper Neutralization of Escape, Meta, or Control Sequences phpMyAdmin does not escape certain Git information, related to `libraries/classes/Display/GitRevision.php` and `libraries/classes/Footer.php`. |
Affected by 7 other vulnerabilities. |
|
VCID-n53q-r421-affh
Aliases: CVE-2016-6617 |
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-n66y-s36g-fqck
Aliases: CVE-2016-9860 GHSA-3hw5-fffc-qrg4 |
Improper Input Validation An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. |
Affected by 24 other vulnerabilities. |
|
VCID-n7cc-xfym-u7g4
Aliases: CVE-2014-6300 GHSA-6wfj-2mw7-p5cg |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. |
Affected by 115 other vulnerabilities. |
|
VCID-ne75-u4sh-3ue7
Aliases: CVE-2006-2031 |
Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter. |
Affected by 208 other vulnerabilities. |
|
VCID-nfgc-1n4t-9uh7
Aliases: CVE-2007-0203 |
Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors. |
Affected by 208 other vulnerabilities. |
|
VCID-np5w-chxm-cyak
Aliases: CVE-2015-8980 |
The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. |
Affected by 24 other vulnerabilities. |
|
VCID-ntmf-36f1-e3fg
Aliases: CVE-2011-4782 GHSA-2h23-c973-x63q |
phpMyAdmin Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter. |
Affected by 145 other vulnerabilities. |
|
VCID-nuju-ekmt-k7g9
Aliases: CVE-2016-6629 GHSA-567r-vqj7-5cw7 |
Improper Input Validation An issue was discovered in phpMyAdmin involving the `$cfg['ArbitraryServerRegexp']` configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by `ArbitraryServerRegexp`. |
Affected by 24 other vulnerabilities. |
|
VCID-nv3j-xj42-wfcw
Aliases: CVE-2016-9861 GHSA-r326-mp8g-6xfc |
Incomplete List of Disallowed Inputs An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. |
Affected by 24 other vulnerabilities. |
|
VCID-p1jn-sxds-mqd1
Aliases: CVE-2018-7260 GHSA-gqmj-f46x-wqhw |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in `db_central_columns.php` in phpMyAdm allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
Affected by 7 other vulnerabilities. |
|
VCID-p361-saxs-97g9
Aliases: CVE-2016-9855 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the PMA_shutdownDuringExport issue. |
Affected by 24 other vulnerabilities. |
|
VCID-p7ay-azv3-bqch
Aliases: CVE-2006-1804 |
SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to execute arbitrary SQL commands via the sql_query parameter. |
Affected by 208 other vulnerabilities. |
|
VCID-pdmq-pgqp-5qft
Aliases: CVE-2014-4955 |
Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page. |
Affected by 115 other vulnerabilities. |
|
VCID-pfdk-db4h-47dx
Aliases: CVE-2016-2559 GHSA-7rf8-9r8f-qf59 |
Cross-site Scripting A Cross-site scripting (XSS) vulnerability in the format function in `libraries/sql-parser/src/Utils/Error.php` in the SQL parser in phpMyAdmin allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. |
Affected by 24 other vulnerabilities. |
|
VCID-pnry-rv8t-v3ff
Aliases: CVE-2015-2206 |
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-psp9-3jss-cka9
Aliases: CVE-2012-1902 |
show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file. |
Affected by 145 other vulnerabilities. |
|
VCID-ptce-mpk2-yub7
Aliases: CVE-2007-5589 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI. |
Affected by 190 other vulnerabilities. |
|
VCID-pv92-669g-eub2
Aliases: CVE-2009-1285 |
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files. |
Affected by 171 other vulnerabilities. |
|
VCID-q2wv-kbra-5kg8
Aliases: CVE-2016-9865 |
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-q45d-5bf4-tff5
Aliases: CVE-2017-18264 GHSA-5868-g58j-vrj5 |
Improper Privilege Management An issue was discovered in `libraries/common` which allows users who have no password set to log in even if the administrator has set `$cfg['Servers'][$i]['AllowNoPassword']` to `false` (which is also the default). |
Affected by 24 other vulnerabilities. |
|
VCID-q7pe-bvr1-g3bc
Aliases: CVE-2016-9847 GHSA-9xhq-pm7v-693p |
Cryptographic Issues An issue was discovered in phpMyAdmin. When the user does not specify a `blowfish_secret` key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's `blowfish_secret` and potentially decrypt their cookies. |
Affected by 24 other vulnerabilities. |
|
VCID-q7rn-1612-quau
Aliases: CVE-2019-11768 GHSA-x37v-98f9-mj32 |
SQL Injection A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-q7zq-5xpn-93dd
Aliases: CVE-2016-9854 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the json_decode issue. |
Affected by 24 other vulnerabilities. |
|
VCID-qbjt-k4x8-gya5
Aliases: CVE-2014-4348 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables. |
Affected by 115 other vulnerabilities. |
|
VCID-qeac-129m-1udw
Aliases: CVE-2016-9863 GHSA-qgrq-64g6-mmh6 |
An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-qka6-b7w2-f7dw
Aliases: CVE-2011-0987 |
The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark. |
Affected by 145 other vulnerabilities. |
|
VCID-qmj2-pxvt-zqes
Aliases: CVE-2020-26934 GHSA-6349-53vr-7hcr |
Cross-site Scripting phpMyAdmin allows XSS through the transformation feature via a crafted link. |
Affected by 7 other vulnerabilities. |
|
VCID-qnf5-aays-qkf1
Aliases: CVE-2011-2505 GHSA-vqcm-r62w-w437 |
Improper Control of Generation of Code ('Code Injection') libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability." |
Affected by 145 other vulnerabilities. |
|
VCID-qpj7-uk5e-nbez
Aliases: CVE-2016-5701 GHSA-rh74-5835-jpxp |
phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-qpsr-xv8c-b3gj
Aliases: CVE-2014-4954 |
Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page. |
Affected by 115 other vulnerabilities. |
|
VCID-qqbs-tnrs-bbem
Aliases: CVE-2010-2958 GHSA-frv8-xjcp-hrm2 |
Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in phpMyAdmin 3.x before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to a PHP backtrace and error messages (aka debugging messages), a different vulnerability than CVE-2010-3056. |
Affected by 171 other vulnerabilities. |
|
VCID-qqyb-zags-bbhz
Aliases: CVE-2016-6632 GHSA-426q-975p-w5cr |
Incomplete Cleanup An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. |
Affected by 24 other vulnerabilities. |
|
VCID-qyvz-vsfe-8bfp
Aliases: CVE-2005-3787 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl4 allow remote attackers to inject arbitrary web script or HTML via (1) the cookie-based login panel, (2) the title parameter and (3) the table creation dialog. |
Affected by 208 other vulnerabilities. |
|
VCID-r3z5-cc6j-8yg6
Aliases: CVE-2016-6614 |
An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-r4zz-m2mr-9qeb
Aliases: CVE-2018-19969 GHSA-xwf2-53mc-r8hx |
Cross-Site Request Forgery (CSRF) By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new `tables/routines`, deleting designer pages, `adding/deleting` users, updating user passwords, killing SQL processes. |
Affected by 7 other vulnerabilities. |
|
VCID-r8b5-qubu-9bgp
Aliases: CVE-2010-4329 |
Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request. |
Affected by 171 other vulnerabilities. |
|
VCID-r9sb-489v-fqc9
Aliases: CVE-2016-1927 GHSA-4gmg-gwjh-3mmr |
phpMyAdmin Cryptographic Vulnerability The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-rc63-nakx-ebbe
Aliases: CVE-2016-9857 GHSA-hmmx-wxh4-9w8w |
Cross-site Scripting An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. |
Affected by 24 other vulnerabilities. |
|
VCID-rht1-ecwp-aqe7
Aliases: CVE-2012-4345 GHSA-r3pq-mp8v-cp33 |
Multiple cross-site scripting (XSS) vulnerabilities in the Database Structure page in phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name. |
Affected by 145 other vulnerabilities. |
|
VCID-rkw2-bjne-efea
Aliases: CVE-2009-4605 |
scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |
Affected by 171 other vulnerabilities. |
|
VCID-rsrk-jwbt-qfhe
Aliases: CVE-2016-9859 |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-rx9z-rdmm-5fg6
Aliases: CVE-2018-12581 GHSA-vxj6-pm6r-23hq |
Cross-site Scripting An issue was discovered in `js/designer/move.js` in phpMyAdm A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-rxz2-tx2n-k3bd
Aliases: CVE-2016-5732 GHSA-3q28-xfw3-2q35 |
Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. |
Affected by 24 other vulnerabilities. |
|
VCID-rz6q-hthe-1uer
Aliases: CVE-2016-6612 GHSA-fcgm-62p3-f7cm |
Information Exposure An issue was discovered in phpMyAdmin. A user can exploit the "LOAD LOCAL INFILE" functionality to expose files on the server to the database system. |
Affected by 24 other vulnerabilities. |
|
VCID-s7zg-dmux-47bn
Aliases: CVE-2006-1803 |
Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter. |
Affected by 208 other vulnerabilities. |
|
VCID-s88e-r2gd-9yep
Aliases: CVE-2015-3903 |
libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-sbqa-vqjs-bqhy
Aliases: CVE-2008-1149 |
phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies. |
Affected by 190 other vulnerabilities. |
|
VCID-segg-gk79-9bc6
Aliases: CVE-2016-9851 GHSA-r2vw-p77f-vc27 |
Improper Input Validation An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. |
Affected by 24 other vulnerabilities. |
|
VCID-sj19-5q5e-j7ah
Aliases: CVE-2014-8961 |
Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. |
Affected by 115 other vulnerabilities. |
|
VCID-snke-vmcg-xfd2
Aliases: CVE-2014-1879 |
Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-ttu4-gpng-rydg
Aliases: CVE-2009-1149 GHSA-xrpq-63mp-9vcw |
Improper Input Validation CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters. |
Affected by 171 other vulnerabilities. |
|
VCID-tvfz-v881-sufp
Aliases: CVE-2016-5706 GHSA-9rmm-8fp4-26hv |
phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-txba-1at4-ekg2
Aliases: CVE-2017-1000013 GHSA-5h5m-fj48-qpjw |
URL Redirection to Untrusted Site (Open Redirect) phpMyAdmin is vulnerable to an open redirect weakness. |
Affected by 24 other vulnerabilities. |
|
VCID-u8sc-gk1h-gkhc
Aliases: CVE-2012-4579 GHSA-q7v2-w38r-pv7v |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via a Table Operations (1) TRUNCATE or (2) DROP link for a crafted table name, (3) the Add Trigger popup within a Triggers page that references crafted table names, (4) an invalid trigger-creation attempt for a crafted table name, (5) crafted data in a table, or (6) a crafted tooltip label name during GIS data visualization, a different issue than CVE-2012-4345. |
Affected by 145 other vulnerabilities. |
|
VCID-uc6b-5sj1-9yg2
Aliases: CVE-2015-6830 GHSA-v6fh-vg22-r6cm |
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-ufzd-pbge-6qhk
Aliases: CVE-2013-4729 GHSA-x962-w72p-mv7q |
import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. |
Affected by 115 other vulnerabilities. |
|
VCID-uh3f-vuqh-w3f7
Aliases: CVE-2006-3388 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter. |
Affected by 208 other vulnerabilities. |
|
VCID-uqku-hw3v-u7hh
Aliases: CVE-2005-3299 |
PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. |
Affected by 208 other vulnerabilities. |
|
VCID-ur19-yjak-vqdd
Aliases: CVE-2014-4349 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action. |
Affected by 115 other vulnerabilities. |
|
VCID-ustg-su7z-53cv
Aliases: CVE-2008-1924 |
Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable. |
Affected by 190 other vulnerabilities. |
|
VCID-utaj-br37-dyg3
Aliases: CVE-2007-0204 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. |
Affected by 208 other vulnerabilities. |
|
VCID-utga-335m-dua9
Aliases: CVE-2016-9856 GHSA-j8mx-x32r-5rf4 |
Cross-site Scripting An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. |
Affected by 24 other vulnerabilities. |
|
VCID-uyyu-r5e4-mqfg
Aliases: CVE-2011-2718 GHSA-xhqq-554j-p4x8 |
Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php. |
Affected by 145 other vulnerabilities. |
|
VCID-v1kx-5wa1-r7he
Aliases: CVE-2016-9852 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the curl wrapper issue. |
Affected by 24 other vulnerabilities. |
|
VCID-v69j-7vk9-e3d4
Aliases: CVE-2014-9219 |
Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter. |
Affected by 115 other vulnerabilities. |
|
VCID-v6cy-znq5-qfa1
Aliases: CVE-2008-4775 |
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977. |
Affected by 190 other vulnerabilities. |
|
VCID-v6xv-djkp-4kgw
Aliases: CVE-2013-4997 GHSA-5gh4-v2ch-pcx4 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. |
Affected by 115 other vulnerabilities. |
|
VCID-v7dk-szsy-vfh4
Aliases: CVE-2008-3456 |
phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack. |
Affected by 190 other vulnerabilities. |
|
VCID-vpf2-5j4s-jqeb
Aliases: CVE-2016-9864 |
An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-vxc7-fwud-33an
Aliases: CVE-2016-6630 |
An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-vxj9-zxns-kkh9
Aliases: CVE-2016-4412 |
An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. |
Affected by 115 other vulnerabilities. |
|
VCID-w6nk-akeh-4ufg
Aliases: CVE-2019-12922 GHSA-4c9q-64gq-xhx4 |
Cross-Site Request Forgery (CSRF) A CSRF issue in phpMyAdmin allows deletion of any server in the Setup page. |
Affected by 7 other vulnerabilities. |
|
VCID-wfpq-um6w-gqfx
Aliases: CVE-2008-7251 |
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors. |
Affected by 171 other vulnerabilities. |
|
VCID-wn4f-7vjc-b7gx
Aliases: CVE-2005-3301 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) left.php, (2) queryframe.php, or (3) server_databases.php. |
Affected by 208 other vulnerabilities. |
|
VCID-wp65-ncc7-dkhh
Aliases: CVE-2006-5116 |
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php. NOTE: the PHP unset function vector is covered by CVE-2006-3017. |
Affected by 208 other vulnerabilities. |
|
VCID-ww5r-71kf-tfgr
Aliases: CVE-2013-5002 GHSA-p632-5w74-x8xx |
Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-x1jp-g4k8-mkdh
Aliases: CVE-2011-4780 |
Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections. |
Affected by 145 other vulnerabilities. |
|
VCID-x75q-4y74-d3gt
Aliases: CVE-2016-6627 |
An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-x8zu-a97g-2kak
Aliases: CVE-2010-3056 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php. |
Affected by 171 other vulnerabilities. |
|
VCID-xgnx-jteb-myf7
Aliases: CVE-2013-5029 |
phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to bypass the clickjacking protection mechanism via certain vectors related to Header.class.php. |
Affected by 115 other vulnerabilities. |
|
VCID-xqf5-yxf3-u3he
Aliases: CVE-2016-6628 GHSA-phhm-63xx-v9rr |
Cross-site Scripting An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. |
Affected by 24 other vulnerabilities. |
|
VCID-xsa5-sgyr-zkd4
Aliases: CVE-2010-4480 |
error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]". |
Affected by 171 other vulnerabilities. |
|
VCID-y57y-zdmd-8bhr
Aliases: CVE-2009-1148 |
Directory traversal vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to read arbitrary files via directory traversal sequences in the file_path parameter ($filename variable). |
Affected by 171 other vulnerabilities. |
|
VCID-yvwv-ttjs-9udg
Aliases: CVE-2009-2284 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted SQL bookmark. |
Affected by 171 other vulnerabilities. |
|
VCID-z76m-em7w-5qf6
Aliases: CVE-2009-1151 |
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. |
Affected by 171 other vulnerabilities. |
|
VCID-zb95-sn9m-r3bu
Aliases: CVE-2011-4107 GHSA-q4mm-89q2-xffg |
Improper Restriction of XML External Entity Reference The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. |
Affected by 145 other vulnerabilities. |
|
VCID-zmjf-j2zs-23ey
Aliases: CVE-2016-6607 |
XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-zvcj-g6rt-s3de
Aliases: CVE-2017-1000017 GHSA-99xj-xqc9-98hr |
Server-Side Request Forgery (SSRF) phpMyAdmin is vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server. |
Affected by 24 other vulnerabilities. |
|
VCID-zyes-82y3-g7dh
Aliases: CVE-2016-6623 GHSA-2mcj-3r3r-v5wm |
An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service (DoS) attack on a server by passing large values to a loop. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1f97-us29-hqef | Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code. |
CVE-2005-0567
|
| VCID-26mn-n4fu-53ce | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.6.0-pl2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PmaAbsoluteUri parameter, (2) the zero_rows parameter in read_dump.php, (3) the confirm form, or (4) an error message generated by the internal phpMyAdmin parser. |
CVE-2004-1055
|
| VCID-32qm-fkf5-q7hc | phpMyAdmin 2.5.1 up to 2.5.7 allows remote attackers to modify configuration settings and gain unauthorized access to MySQL servers via modified $cfg['Servers'] variables. |
CVE-2004-2632
|
| VCID-35rp-cxt5-m3gz | phpMyAdmin 2.6.1 does not properly grant permissions on tables with an underscore in the name, which grants remote authenticated users more privileges than intended. |
CVE-2005-0653
|
| VCID-38kp-du6g-wkg1 | The MIME transformation system (transformations/text_plain__external.inc.php) in phpMyAdmin 2.5.0 up to 2.6.0-pl1 allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. |
CVE-2004-2630
|
| VCID-4w72-3j8g-5kbg | Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name. |
CVE-2004-2631
|
| VCID-5ths-3mtd-dkgr | phpMyAdmin 2.6.2-dev, and possibly earlier versions, allows remote attackers to determine the full path of the web root via a direct request to select_lang.lib.php, which reveals the path in a PHP error message. |
CVE-2005-0459
|
| VCID-5yb6-ue3h-wydu | Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter. |
CVE-2005-0992
|
| VCID-d52p-6nur-y3d1 | Cross-site scripting (XSS) vulnerability in mysql/phpinfo.php in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the lang[] parameter. |
CVE-2007-2016
|
| VCID-d8u7-egc2-8bec | Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in display_tbl_links.lib.php, the left_font_family parameter in theme_left.css.php, or the right_font_family parameter in theme_right.css.php. |
CVE-2005-0543
|
| VCID-jc5h-5wna-zbek | phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information. |
CVE-2008-1567
|
| VCID-jc9s-t6h4-qfd5 | Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. |
CVE-2004-0129
|
| VCID-k5es-wrs7-3bc5 | phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exists.lib.php, (11) charset_conversion.lib.php, (12) ufpdf.php, (13) mysqli.dbi.lib.php, (14) setup.php, or (15) cookie.auth.lib.php, which reveals the path in a PHP error message. |
CVE-2005-0544
|
| VCID-kr29-sj36-bqa2 | phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters. |
CVE-2004-1147
|
| VCID-pcg2-hctg-sbd7 | phpMyAdmin before 2.6.1, when configured with UploadDir functionality, allows remote attackers to read arbitrary files via the sql_localfile parameter. |
CVE-2004-1148
|