Search for packages
| purl | pkg:deb/debian/phpmyadmin@4:4.2.12-2%2Bdeb8u2 |
| Next non-vulnerable version | 4:5.2.2-really+dfsg-1+deb13u1 |
| Latest non-vulnerable version | 4:5.2.2-really+dfsg-1+deb13u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1drk-gzqj-2qc5
Aliases: CVE-2016-5099 |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. |
Affected by 24 other vulnerabilities. |
|
VCID-1hvw-4h4d-zkhv
Aliases: CVE-2016-2040 GHSA-pw34-qf6c-84fc |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin allow remote authenticated users to inject arbitrary web script or HTML. |
Affected by 24 other vulnerabilities. |
|
VCID-23dq-w66r-k3bt
Aliases: CVE-2017-1000015 GHSA-3fgq-cmr4-97rr |
Cross-site Scripting phpMyAdmin is vulnerable to a CSS injection attack through crafted cookie parameters. |
Affected by 24 other vulnerabilities. |
|
VCID-27w6-zhxk-x7e7
Aliases: CVE-2016-2561 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. |
Affected by 24 other vulnerabilities. |
|
VCID-282b-1ugg-yuev
Aliases: CVE-2016-6621 GHSA-44vv-mm86-7cg6 |
phpMyAdmin server-side request forgery (SSRF) The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-2at1-y3qg-77fb
Aliases: CVE-2020-10803 GHSA-fcww-8wvc-38q9 |
Cross-site Scripting An SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in `tbl_get_field.php` and `libraries/classes/Display/Results.php`). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. |
Affected by 7 other vulnerabilities. |
|
VCID-2vqn-z4en-duh4
Aliases: CVE-2016-5730 GHSA-wm9c-vcv2-vpqc |
Information Exposure phpMyAdmin allows remote attackers to obtain sensitive information. |
Affected by 24 other vulnerabilities. |
|
VCID-31jg-3pzb-y3b6
Aliases: CVE-2016-9853 GHSA-rmmf-5xhh-gg27 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the fopen wrapper issue. |
Affected by 24 other vulnerabilities. |
|
VCID-32ja-yuuw-bbbh
Aliases: CVE-2020-10804 GHSA-h65r-8fp8-w7cx |
SQL Injection An SQL injection vulnerability was found in retrieval of the current username (in `libraries/classes/Server/Privileges.php` and `libraries/classes/UserPassword.php`). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). |
Affected by 7 other vulnerabilities. |
|
VCID-33kv-ye2c-ebax
Aliases: CVE-2016-5097 |
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. |
Affected by 24 other vulnerabilities. |
|
VCID-33mh-s92h-c7ht
Aliases: CVE-2016-5739 GHSA-2p7v-jm8m-g3qq |
phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
Affected by 24 other vulnerabilities. |
|
VCID-38tp-acy8-57hj
Aliases: CVE-2017-1000014 GHSA-9hrc-rwrq-v6mh |
Improper Input Validation phpMyAdmin is vulnerable to a DoS weakness in the table editing functionality. |
Affected by 24 other vulnerabilities. |
|
VCID-3va7-xx14-gkds
Aliases: CVE-2016-6613 GHSA-6j2v-g9rg-qcm5 |
Information Exposure An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. |
Affected by 24 other vulnerabilities. |
|
VCID-44uc-xrvp-7bet
Aliases: CVE-2016-6624 GHSA-mhxj-6vf8-mwv3 |
Incomplete List of Disallowed Inputs An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. |
Affected by 24 other vulnerabilities. |
|
VCID-4avx-e9mf-2yb1
Aliases: CVE-2016-6618 GHSA-rv6m-chvv-wmxg |
Uncontrolled Resouce Consumption An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. |
Affected by 24 other vulnerabilities. |
|
VCID-4kax-4bpz-g7c5
Aliases: CVE-2016-2041 GHSA-8m97-xc46-rw9w |
Covert Timing Channel `libraries/common.inc.php` in phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
Affected by 24 other vulnerabilities. |
|
VCID-4vgu-cagj-hfhb
Aliases: CVE-2016-6609 GHSA-wpww-hx7x-xfjh |
Command Injection An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. |
Affected by 24 other vulnerabilities. |
|
VCID-4wn2-pnbv-sked
Aliases: CVE-2018-19970 GHSA-8987-93fh-rcwq |
Cross-site Scripting In phpMyAdm, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted `database/table` name. |
Affected by 7 other vulnerabilities. |
|
VCID-52xs-45kd-w3hz
Aliases: CVE-2018-19968 GHSA-xc97-r49q-cxgc |
Information Exposure An attacker can exploit phpMyAdm to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. |
Affected by 7 other vulnerabilities. |
|
VCID-59mu-8aep-9ycn
Aliases: CVE-2025-24530 GHSA-222v-cx2c-q2f5 |
phpMyAdmin XSS when checking tables An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. |
Affected by 1 other vulnerability. |
|
VCID-5bu8-wy7w-bqfc
Aliases: CVE-2016-6606 |
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-5jye-2stz-fqam
Aliases: CVE-2021-21252 GHSA-jxwx-85vp-gvwm |
Uncontrolled Resource Consumption The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that is vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3. |
Affected by 7 other vulnerabilities. |
|
VCID-6gs5-cswx-bfeb
Aliases: CVE-2016-2042 |
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-7avk-rmwd-yugt
Aliases: CVE-2016-6620 |
An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-7vpu-x9mb-q3c6
Aliases: CVE-2020-5504 GHSA-fgj8-93xx-f6g6 |
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. |
Affected by 7 other vulnerabilities. |
|
VCID-84n7-nzzg-juhz
Aliases: CVE-2016-5702 GHSA-xqw9-ffx7-g998 |
phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. |
Affected by 24 other vulnerabilities. |
|
VCID-8jt7-y15v-83gj
Aliases: CVE-2016-6615 |
XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-8rvw-n1fg-ffc2
Aliases: CVE-2019-12616 GHSA-mfr9-pcm3-6mwc |
Cross-Site Request Forgery (CSRF) A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken `<img>` tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific `INSERT` or `DELETE` statement) to the victim. |
Affected by 7 other vulnerabilities. |
|
VCID-8yxm-e33n-d7gj
Aliases: CVE-2016-6619 |
An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-9nh7-ny6c-n3cd
Aliases: CVE-2016-6626 |
An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-9tdu-572c-tbb2
Aliases: CVE-2016-5703 |
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. |
Affected by 24 other vulnerabilities. |
|
VCID-ajeh-4q9t-sydz
Aliases: CVE-2016-9850 |
An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-ajf6-bk2g-wkb7
Aliases: CVE-2019-6799 GHSA-c8wj-q36q-3wg4 |
Information Exposure When the `AllowArbitraryServer` configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the `mysql.allow_local_infile` PHP configuration, and the inadvertent ignoring of `options(MYSQLI_OPT_LOCAL_INFILE` calls. |
Affected by 7 other vulnerabilities. |
|
VCID-b2nf-6pr3-xqaa
Aliases: CVE-2020-26935 GHSA-7ff4-cv53-4cjq |
SQL Injection An issue was discovered in SearchController in phpMyAdmin. An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
Affected by 7 other vulnerabilities. |
|
VCID-b4jk-yjfy-pfcv
Aliases: CVE-2016-2044 |
libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-b6ng-ygap-zqh4
Aliases: CVE-2016-2562 GHSA-w8qg-j9fp-hrjf |
Improper Input Validation The `checkHTTP` function in `libraries/Config.class.php` in phpMyAdmin does not verify X.509 certificates from `api.github.com` SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. |
Affected by 24 other vulnerabilities. |
|
VCID-bd83-vf81-sfa4
Aliases: CVE-2019-6798 GHSA-f732-fxh6-g4qj |
SQL Injection An issue was discovered in phpMyAdmin. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-bddg-5zgr-3uew
Aliases: CVE-2016-5705 GHSA-6q2j-8h8q-46mr |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
Affected by 24 other vulnerabilities. |
|
VCID-btc1-yng3-ckhx
Aliases: CVE-2017-1000018 GHSA-47qr-f86f-3wm4 |
Improper Input Validation phpMyAdmin is vulnerable to a DoS attack in the replication status by using a specially crafted table name. |
Affected by 24 other vulnerabilities. |
|
VCID-cbjd-e3sk-m7bu
Aliases: CVE-2016-9866 GHSA-jvxx-8xxf-5495 |
Cross-Site Request Forgery (CSRF) An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-crn9-f6qt-qfg5
Aliases: CVE-2016-2039 |
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. |
Affected by 24 other vulnerabilities. |
|
VCID-cth2-72mg-6yfr
Aliases: CVE-2015-8669 |
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-cz55-m46r-37gb
Aliases: CVE-2015-3902 |
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. |
Affected by 24 other vulnerabilities. |
|
VCID-d7jk-a94y-n3ca
Aliases: CVE-2016-2038 |
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-dbk1-n9kh-dfhm
Aliases: CVE-2016-5704 GHSA-gcvp-cwgw-wx8j |
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. |
Affected by 24 other vulnerabilities. |
|
VCID-dfsz-1y13-yug9
Aliases: CVE-2016-9858 |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-dgvs-kqpd-gfcy
Aliases: CVE-2016-2045 |
Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response. |
Affected by 24 other vulnerabilities. |
|
VCID-dj5f-y77j-d7dx
Aliases: CVE-2016-9849 |
An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-dx3h-z4dg-m3e1
Aliases: CVE-2020-10802 GHSA-f4cr-3xmc-2wpm |
SQL Injection In phpMyAdmin, an SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in `libraries/classes/Controllers/Table/TableSearchController.php`. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. |
Affected by 7 other vulnerabilities. |
|
VCID-g2uy-ekyf-4bcj
Aliases: CVE-2016-2043 |
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. |
Affected by 24 other vulnerabilities. |
|
VCID-gmjk-222y-abda
Aliases: CVE-2016-6625 GHSA-r643-7xfg-ppc5 |
Information Exposure An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user session, username, and password are not compromised by this vulnerability. |
Affected by 24 other vulnerabilities. |
|
VCID-gqxb-6rey-rbhv
Aliases: CVE-2016-5733 GHSA-cr65-p662-fx5c |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
Affected by 24 other vulnerabilities. |
|
VCID-gtps-py3z-13cu
Aliases: CVE-2016-6633 GHSA-p849-vf5f-f3x7 |
Code Injection An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations that are running with the dbase extension. |
Affected by 24 other vulnerabilities. |
|
VCID-gzwb-ju7m-juf7
Aliases: CVE-2016-6610 |
A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-har4-gaft-m7e8
Aliases: CVE-2025-24529 |
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. |
Affected by 1 other vulnerability. |
|
VCID-hbp6-s544-pqaw
Aliases: CVE-2016-6631 |
An issue was discovered in phpMyAdmin. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-hw5n-kv9r-8yej
Aliases: CVE-2016-2560 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. |
Affected by 24 other vulnerabilities. |
|
VCID-j589-8hrn-9bae
Aliases: CVE-2017-1000016 GHSA-j2cq-h6v2-f875 |
Improper Input Validation A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. |
Affected by 24 other vulnerabilities. |
|
VCID-jabw-t2hb-q3e9
Aliases: CVE-2016-9848 |
An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jemb-avnk-c7eb
Aliases: CVE-2016-6616 |
An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jmn8-a5r9-2qc8
Aliases: CVE-2016-6622 GHSA-qf3f-7x69-qfv3 |
Improper Input Validation An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. |
Affected by 24 other vulnerabilities. |
|
VCID-jxf7-1cq4-t3cv
Aliases: CVE-2016-5734 GHSA-rv57-479x-x4qv |
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. |
Affected by 24 other vulnerabilities. |
|
VCID-k5ph-wws1-fqg4
Aliases: CVE-2016-5731 GHSA-mwm8-36c5-j5cf |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in `examples/openid.php` in phpMyAdmin allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
Affected by 24 other vulnerabilities. |
|
VCID-kfr7-v6tb-eqau
Aliases: CVE-2019-18622 GHSA-jgjc-332c-8cmc |
SQL Injection A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-kfrx-mmr7-euep
Aliases: CVE-2018-10188 GHSA-v6fp-h79x-9rqc |
Cross-Site Request Forgery (CSRF) phpMyAdm has CSRF, allowing an attacker to execute arbitrary SQL statements, related to `js/db_operations.js`, `js/tbl_operations.js`, `libraries/classes/Operations.php`, and `sql.php.` |
Affected by 7 other vulnerabilities. |
|
VCID-kwtj-jk24-zffq
Aliases: CVE-2016-6611 |
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-m2g6-2ztp-tuam
Aliases: CVE-2020-22452 GHSA-prcg-mc23-hgjh |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. |
Affected by 7 other vulnerabilities. |
|
VCID-m3kq-1cfg-mkgc
Aliases: CVE-2023-25727 GHSA-6hr3-44gx-g6wh |
Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-m59w-cug5-wbe2
Aliases: CVE-2016-9862 |
An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-mgu4-pf1x-r3dy
Aliases: CVE-2016-6608 GHSA-jfmj-27fp-qp67 |
Cross-site Scripting XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. |
Affected by 24 other vulnerabilities. |
|
VCID-mxn5-bh7q-gkdb
Aliases: CVE-2015-7873 GHSA-5pmg-qh2c-7j24 |
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
Affected by 24 other vulnerabilities. |
|
VCID-mzuh-5e5y-d3hr
Aliases: CVE-2019-19617 GHSA-pgph-mc4p-f8c3 |
Improper Neutralization of Escape, Meta, or Control Sequences phpMyAdmin does not escape certain Git information, related to `libraries/classes/Display/GitRevision.php` and `libraries/classes/Footer.php`. |
Affected by 7 other vulnerabilities. |
|
VCID-n53q-r421-affh
Aliases: CVE-2016-6617 |
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-n66y-s36g-fqck
Aliases: CVE-2016-9860 GHSA-3hw5-fffc-qrg4 |
Improper Input Validation An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. |
Affected by 24 other vulnerabilities. |
|
VCID-np5w-chxm-cyak
Aliases: CVE-2015-8980 |
The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. |
Affected by 24 other vulnerabilities. |
|
VCID-nuju-ekmt-k7g9
Aliases: CVE-2016-6629 GHSA-567r-vqj7-5cw7 |
Improper Input Validation An issue was discovered in phpMyAdmin involving the `$cfg['ArbitraryServerRegexp']` configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by `ArbitraryServerRegexp`. |
Affected by 24 other vulnerabilities. |
|
VCID-nv3j-xj42-wfcw
Aliases: CVE-2016-9861 GHSA-r326-mp8g-6xfc |
Incomplete List of Disallowed Inputs An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. |
Affected by 24 other vulnerabilities. |
|
VCID-p1jn-sxds-mqd1
Aliases: CVE-2018-7260 GHSA-gqmj-f46x-wqhw |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in `db_central_columns.php` in phpMyAdm allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
Affected by 7 other vulnerabilities. |
|
VCID-p361-saxs-97g9
Aliases: CVE-2016-9855 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the PMA_shutdownDuringExport issue. |
Affected by 24 other vulnerabilities. |
|
VCID-pfdk-db4h-47dx
Aliases: CVE-2016-2559 GHSA-7rf8-9r8f-qf59 |
Cross-site Scripting A Cross-site scripting (XSS) vulnerability in the format function in `libraries/sql-parser/src/Utils/Error.php` in the SQL parser in phpMyAdmin allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. |
Affected by 24 other vulnerabilities. |
|
VCID-pnry-rv8t-v3ff
Aliases: CVE-2015-2206 |
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
Affected by 24 other vulnerabilities. |
|
VCID-q2wv-kbra-5kg8
Aliases: CVE-2016-9865 |
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-q45d-5bf4-tff5
Aliases: CVE-2017-18264 GHSA-5868-g58j-vrj5 |
Improper Privilege Management An issue was discovered in `libraries/common` which allows users who have no password set to log in even if the administrator has set `$cfg['Servers'][$i]['AllowNoPassword']` to `false` (which is also the default). |
Affected by 24 other vulnerabilities. |
|
VCID-q7pe-bvr1-g3bc
Aliases: CVE-2016-9847 GHSA-9xhq-pm7v-693p |
Cryptographic Issues An issue was discovered in phpMyAdmin. When the user does not specify a `blowfish_secret` key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's `blowfish_secret` and potentially decrypt their cookies. |
Affected by 24 other vulnerabilities. |
|
VCID-q7rn-1612-quau
Aliases: CVE-2019-11768 GHSA-x37v-98f9-mj32 |
SQL Injection A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-q7zq-5xpn-93dd
Aliases: CVE-2016-9854 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the json_decode issue. |
Affected by 24 other vulnerabilities. |
|
VCID-qeac-129m-1udw
Aliases: CVE-2016-9863 GHSA-qgrq-64g6-mmh6 |
An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-qmj2-pxvt-zqes
Aliases: CVE-2020-26934 GHSA-6349-53vr-7hcr |
Cross-site Scripting phpMyAdmin allows XSS through the transformation feature via a crafted link. |
Affected by 7 other vulnerabilities. |
|
VCID-qpj7-uk5e-nbez
Aliases: CVE-2016-5701 GHSA-rh74-5835-jpxp |
phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
Affected by 24 other vulnerabilities. |
|
VCID-qqyb-zags-bbhz
Aliases: CVE-2016-6632 GHSA-426q-975p-w5cr |
Incomplete Cleanup An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. |
Affected by 24 other vulnerabilities. |
|
VCID-r3z5-cc6j-8yg6
Aliases: CVE-2016-6614 |
An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-r4zz-m2mr-9qeb
Aliases: CVE-2018-19969 GHSA-xwf2-53mc-r8hx |
Cross-Site Request Forgery (CSRF) By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new `tables/routines`, deleting designer pages, `adding/deleting` users, updating user passwords, killing SQL processes. |
Affected by 7 other vulnerabilities. |
|
VCID-r9sb-489v-fqc9
Aliases: CVE-2016-1927 GHSA-4gmg-gwjh-3mmr |
phpMyAdmin Cryptographic Vulnerability The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
Affected by 24 other vulnerabilities. |
|
VCID-rc63-nakx-ebbe
Aliases: CVE-2016-9857 GHSA-hmmx-wxh4-9w8w |
Cross-site Scripting An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. |
Affected by 24 other vulnerabilities. |
|
VCID-rsrk-jwbt-qfhe
Aliases: CVE-2016-9859 |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-rx9z-rdmm-5fg6
Aliases: CVE-2018-12581 GHSA-vxj6-pm6r-23hq |
Cross-site Scripting An issue was discovered in `js/designer/move.js` in phpMyAdm A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. |
Affected by 7 other vulnerabilities. |
|
VCID-rxz2-tx2n-k3bd
Aliases: CVE-2016-5732 GHSA-3q28-xfw3-2q35 |
Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. |
Affected by 24 other vulnerabilities. |
|
VCID-rz6q-hthe-1uer
Aliases: CVE-2016-6612 GHSA-fcgm-62p3-f7cm |
Information Exposure An issue was discovered in phpMyAdmin. A user can exploit the "LOAD LOCAL INFILE" functionality to expose files on the server to the database system. |
Affected by 24 other vulnerabilities. |
|
VCID-s88e-r2gd-9yep
Aliases: CVE-2015-3903 |
libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
Affected by 24 other vulnerabilities. |
|
VCID-segg-gk79-9bc6
Aliases: CVE-2016-9851 GHSA-r2vw-p77f-vc27 |
Improper Input Validation An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. |
Affected by 24 other vulnerabilities. |
|
VCID-tvfz-v881-sufp
Aliases: CVE-2016-5706 GHSA-9rmm-8fp4-26hv |
phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
Affected by 24 other vulnerabilities. |
|
VCID-txba-1at4-ekg2
Aliases: CVE-2017-1000013 GHSA-5h5m-fj48-qpjw |
URL Redirection to Untrusted Site (Open Redirect) phpMyAdmin is vulnerable to an open redirect weakness. |
Affected by 24 other vulnerabilities. |
|
VCID-uc6b-5sj1-9yg2
Aliases: CVE-2015-6830 GHSA-v6fh-vg22-r6cm |
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
Affected by 24 other vulnerabilities. |
|
VCID-utga-335m-dua9
Aliases: CVE-2016-9856 GHSA-j8mx-x32r-5rf4 |
Cross-site Scripting An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. |
Affected by 24 other vulnerabilities. |
|
VCID-v1kx-5wa1-r7he
Aliases: CVE-2016-9852 |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the curl wrapper issue. |
Affected by 24 other vulnerabilities. |
|
VCID-vpf2-5j4s-jqeb
Aliases: CVE-2016-9864 |
An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-vxc7-fwud-33an
Aliases: CVE-2016-6630 |
An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-w6nk-akeh-4ufg
Aliases: CVE-2019-12922 GHSA-4c9q-64gq-xhx4 |
Cross-Site Request Forgery (CSRF) A CSRF issue in phpMyAdmin allows deletion of any server in the Setup page. |
Affected by 7 other vulnerabilities. |
|
VCID-x75q-4y74-d3gt
Aliases: CVE-2016-6627 |
An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-xqf5-yxf3-u3he
Aliases: CVE-2016-6628 GHSA-phhm-63xx-v9rr |
Cross-site Scripting An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. |
Affected by 24 other vulnerabilities. |
|
VCID-zmjf-j2zs-23ey
Aliases: CVE-2016-6607 |
XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-zvcj-g6rt-s3de
Aliases: CVE-2017-1000017 GHSA-99xj-xqc9-98hr |
Server-Side Request Forgery (SSRF) phpMyAdmin is vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server. |
Affected by 24 other vulnerabilities. |
|
VCID-zyes-82y3-g7dh
Aliases: CVE-2016-6623 GHSA-2mcj-3r3r-v5wm |
An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service (DoS) attack on a server by passing large values to a loop. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1drk-gzqj-2qc5 | Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. |
CVE-2016-5099
|
| VCID-1hvw-4h4d-zkhv | Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin allow remote authenticated users to inject arbitrary web script or HTML. |
CVE-2016-2040
GHSA-pw34-qf6c-84fc |
| VCID-27w6-zhxk-x7e7 | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. |
CVE-2016-2561
|
| VCID-33mh-s92h-c7ht | phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
CVE-2016-5739
GHSA-2p7v-jm8m-g3qq |
| VCID-4kax-4bpz-g7c5 | Covert Timing Channel `libraries/common.inc.php` in phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
CVE-2016-2041
GHSA-8m97-xc46-rw9w |
| VCID-7ntf-d3af-nbbk | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page. |
CVE-2014-8958
|
| VCID-bddg-5zgr-3uew | phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
CVE-2016-5705
GHSA-6q2j-8h8q-46mr |
| VCID-crn9-f6qt-qfg5 | libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. |
CVE-2016-2039
|
| VCID-cz55-m46r-37gb | Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. |
CVE-2015-3902
|
| VCID-gqxb-6rey-rbhv | phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
CVE-2016-5733
GHSA-cr65-p662-fx5c |
| VCID-hw5n-kv9r-8yej | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. |
CVE-2016-2560
|
| VCID-jvvf-kwtm-6qb7 | libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password. |
CVE-2014-9218
|
| VCID-k5ph-wws1-fqg4 | Cross-site Scripting Cross-site scripting (XSS) vulnerability in `examples/openid.php` in phpMyAdmin allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
CVE-2016-5731
GHSA-mwm8-36c5-j5cf |
| VCID-mxn5-bh7q-gkdb | The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
CVE-2015-7873
GHSA-5pmg-qh2c-7j24 |
| VCID-pnry-rv8t-v3ff | libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
CVE-2015-2206
|
| VCID-qpj7-uk5e-nbez | phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
CVE-2016-5701
GHSA-rh74-5835-jpxp |
| VCID-r9sb-489v-fqc9 | phpMyAdmin Cryptographic Vulnerability The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
CVE-2016-1927
GHSA-4gmg-gwjh-3mmr |
| VCID-s88e-r2gd-9yep | libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
CVE-2015-3903
|
| VCID-tvfz-v881-sufp | phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
CVE-2016-5706
GHSA-9rmm-8fp4-26hv |
| VCID-uc6b-5sj1-9yg2 | libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
CVE-2015-6830
GHSA-v6fh-vg22-r6cm |