Search for packages
| purl | pkg:deb/debian/phpmyadmin@4:2.9.1.1-3 |
| Next non-vulnerable version | 4:5.2.1+dfsg-1+deb12u1 |
| Latest non-vulnerable version | 4:5.2.1+dfsg-1+deb12u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17ng-yksd-eybe
Aliases: CVE-2019-6798 GHSA-f732-fxh6-g4qj |
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-1bhw-42ts-4ubd
Aliases: CVE-2008-4775 |
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled |
Affected by 190 other vulnerabilities. |
|
VCID-1chy-7bvj-hqb4
Aliases: CVE-2011-4107 GHSA-q4mm-89q2-xffg |
phpMyAdmin vulnerable to XML external entity (XXE) injection attack The `simplexml_load_string` function in the XML import plug-in (`libraries/import/xml.php`) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. |
Affected by 145 other vulnerabilities. |
|
VCID-1dgw-1ueg-sudt
Aliases: CVE-2019-12922 GHSA-4c9q-64gq-xhx4 |
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. |
Affected by 6 other vulnerabilities. |
|
VCID-1jfu-df2q-duhz
Aliases: CVE-2016-9858 |
Affected by 24 other vulnerabilities. |
|
|
VCID-1k2k-x1hh-sfc5
Aliases: CVE-2013-4995 |
security update |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-1kme-6s76-k3es
Aliases: CVE-2016-5705 GHSA-6q2j-8h8q-46mr |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-1psm-e1bq-rqg1
Aliases: CVE-2016-9850 |
Affected by 24 other vulnerabilities. |
|
|
VCID-1qyp-8vuv-x7h2
Aliases: CVE-2011-1941 GHSA-v6fw-xf2c-8q43 |
phpMyAdmin Open Redirect in redirector Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x before 3.4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
Affected by 145 other vulnerabilities. |
|
VCID-1v5y-zvte-tugk
Aliases: CVE-2016-9852 |
Affected by 24 other vulnerabilities. |
|
|
VCID-1wkj-35wu-73gj
Aliases: CVE-2021-21252 GHSA-jxwx-85vp-gvwm |
Regular Expression Denial of Service in jquery-validation The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation. The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service) This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen). |
Affected by 6 other vulnerabilities. |
|
VCID-22su-k6kh-yqch
Aliases: CVE-2011-2719 |
Affected by 145 other vulnerabilities. |
|
|
VCID-23az-qkmn-gbe3
Aliases: CVE-2025-24530 GHSA-222v-cx2c-q2f5 |
phpMyAdmin XSS when checking tables An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. |
Affected by 0 other vulnerabilities. |
|
VCID-2739-kr2f-fbd8
Aliases: CVE-2016-5731 GHSA-mwm8-36c5-j5cf |
phpMyAdmin Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-2ae2-s3dp-b7g2
Aliases: CVE-2012-4579 GHSA-q7v2-w38r-pv7v |
phpMyAdmin Multiple XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via a Table Operations (1) TRUNCATE or (2) DROP link for a crafted table name, (3) the Add Trigger popup within a Triggers page that references crafted table names, (4) an invalid trigger-creation attempt for a crafted table name, (5) crafted data in a table, or (6) a crafted tooltip label name during GIS data visualization, a different issue than CVE-2012-4345. |
Affected by 145 other vulnerabilities. |
|
VCID-2j82-1bxx-7uh6
Aliases: CVE-2014-5273 |
Affected by 115 other vulnerabilities. |
|
|
VCID-2tqn-e8c9-wfc2
Aliases: CVE-2010-2958 GHSA-frv8-xjcp-hrm2 |
phpMyAdmin Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in phpMyAdmin 3.x before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to a PHP backtrace and error messages (aka debugging messages), a different vulnerability than CVE-2010-3056. |
Affected by 171 other vulnerabilities. |
|
VCID-2w3y-zh4u-bkgf
Aliases: CVE-2016-9864 |
Affected by 24 other vulnerabilities. |
|
|
VCID-2x7w-vq7h-jfcu
Aliases: CVE-2016-9853 GHSA-rmmf-5xhh-gg27 |
Affected by 24 other vulnerabilities. |
|
|
VCID-2xx7-djgx-j7ap
Aliases: CVE-2016-2043 |
Affected by 24 other vulnerabilities. |
|
|
VCID-3493-p7bx-pfbz
Aliases: CVE-2016-9848 |
Affected by 24 other vulnerabilities. |
|
|
VCID-35nm-8pfp-mkaq
Aliases: CVE-2016-9866 GHSA-jvxx-8xxf-5495 |
Affected by 24 other vulnerabilities. |
|
|
VCID-3dmv-tyzz-bfhs
Aliases: CVE-2007-5976 |
db_create SQL Injection |
Affected by 190 other vulnerabilities. |
|
VCID-3jkz-zdy6-n7dz
Aliases: CVE-2016-5704 GHSA-gcvp-cwgw-wx8j |
phpMyAdmin XSS Vulnerability Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. |
Affected by 24 other vulnerabilities. |
|
VCID-3jr5-4cs5-a7gq
Aliases: CVE-2010-3263 |
Affected by 171 other vulnerabilities. |
|
|
VCID-3kqc-47x2-43cd
Aliases: CVE-2013-4998 |
Affected by 115 other vulnerabilities. |
|
|
VCID-3pe8-5xvv-rqf9
Aliases: CVE-2008-7251 |
phpMyAdmin 2.x multiple vulnerabilities |
Affected by 171 other vulnerabilities. |
|
VCID-3tjq-4435-sfef
Aliases: CVE-2010-4481 GHSA-gmc7-jvv7-w245 |
phpMyAdmin allows remote attackers to bypass authentication and obtain sensitive information phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. |
Affected by 171 other vulnerabilities. |
|
VCID-43mn-rf4g-ayg6
Aliases: CVE-2016-6608 GHSA-jfmj-27fp-qp67 |
phpMyAdmin Cross-site Scripting (XSS) XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-483d-rzve-uqae
Aliases: CVE-2009-1149 GHSA-xrpq-63mp-9vcw |
phpMyAdmin HTTP Response Splitting Vulnerability CRLF injection vulnerability in `bs_disp_as_mime_type.php` in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) `c_type` and possibly (2) `file_type` parameters. |
Affected by 171 other vulnerabilities. |
|
VCID-49vs-6j8s-pkey
Aliases: CVE-2015-6830 GHSA-v6fh-vg22-r6cm |
phpMyAdmin ReCaptcha bypass libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-4age-g5bt-r7f8
Aliases: CVE-2014-4986 GHSA-jqmr-wqgp-8mh2 |
phpMyAdmin cross-site scripting Vulnerability in Table or Column Names Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. |
Affected by 115 other vulnerabilities. |
|
VCID-4k9b-4mxz-87e5
Aliases: CVE-2016-6629 GHSA-567r-vqj7-5cw7 |
phpMyAdmin Authentication Bypass An issue was discovered in phpMyAdmin involving the `$cfg['ArbitraryServerRegexp']` configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-4q2p-urvd-xbg9
Aliases: CVE-2011-2718 GHSA-xhqq-554j-p4x8 |
phpMyAdmin Directory Traversal Vulnerability Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) `libraries/schema/User_Schema.class.php` and (2) `schema_export.php`. |
Affected by 145 other vulnerabilities. |
|
VCID-4r9b-k2zk-1kb1
Aliases: CVE-2014-8326 GHSA-pvr5-84gr-g985 |
phpMyAdmin Implementation XSS Vulnerability on Server Monitor Page Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the `libraries/DatabaseInterface.class.php` code for SQL debug output and the `js/server_status_monitor.js` code for the server monitor page. |
Affected by 115 other vulnerabilities. |
|
VCID-4w8y-7sxv-5bcq
Aliases: CVE-2012-1902 |
Affected by 145 other vulnerabilities. |
|
|
VCID-56x2-cfhw-6kcx
Aliases: CVE-2016-6607 |
Affected by 24 other vulnerabilities. |
|
|
VCID-5734-xha9-yugg
Aliases: CVE-2007-5589 |
Affected by 190 other vulnerabilities. |
|
|
VCID-57hj-3vk6-a3dk
Aliases: CVE-2013-3239 GHSA-gg36-9346-9qx9 |
phpMyAdmin Remote Code Execution phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. |
Affected by 145 other vulnerabilities. |
|
VCID-58t1-99j9-7ycc
Aliases: CVE-2013-5001 |
Affected by 115 other vulnerabilities. |
|
|
VCID-5b9j-2bjt-aybe
Aliases: CVE-2008-3197 |
phpMyAdmin: XSRF/CSRF by manipulating the db (PMASA-2008-5) |
Affected by 190 other vulnerabilities. |
|
VCID-5bk1-q3nj-6qef
Aliases: CVE-2016-5733 GHSA-cr65-p662-fx5c |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-5kds-ef23-g7dm
Aliases: CVE-2016-2560 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-5qej-xfah-1kaa
Aliases: CVE-2016-6628 GHSA-phhm-63xx-v9rr |
Affected by 24 other vulnerabilities. |
|
|
VCID-5x6h-hhj1-5uab
Aliases: CVE-2016-9863 GHSA-qgrq-64g6-mmh6 |
Affected by 24 other vulnerabilities. |
|
|
VCID-68cy-6u5d-hubd
Aliases: CVE-2011-4782 GHSA-2h23-c973-x63q |
phpMyAdmin Cross-site Scripting vulnerability Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter. |
Affected by 145 other vulnerabilities. |
|
VCID-6j1s-geef-pfb6
Aliases: CVE-2017-1000018 GHSA-47qr-f86f-3wm4 |
phpMyAdmin DoS Vulnerability phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
Affected by 24 other vulnerabilities. |
|
VCID-6prg-vq7d-dfcc
Aliases: CVE-2013-4997 GHSA-5gh4-v2ch-pcx4 |
phpMyAdmin Multiple cross-site scripting (XSS) vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. |
Affected by 115 other vulnerabilities. |
|
VCID-723p-c3ak-myfz
Aliases: CVE-2011-3592 GHSA-5p69-rmx8-7gw7 |
phpMyAdmin Multiple XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in the `PMA_unInlineEditRow` function in js/sql.js in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a (1) database name, (2) table name, or (3) column name that is not properly handled after an inline-editing operation. |
Affected by 145 other vulnerabilities. |
|
VCID-7r2d-sfax-4ycd
Aliases: CVE-2016-6610 |
Affected by 24 other vulnerabilities. |
|
|
VCID-7r2d-wwa7-v3dp
Aliases: CVE-2016-9849 |
Affected by 24 other vulnerabilities. |
|
|
VCID-7udu-bp8s-t7es
Aliases: CVE-2017-1000013 GHSA-5h5m-fj48-qpjw |
phpMyAdmin Open Redirect phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
Affected by 24 other vulnerabilities. |
|
VCID-838f-2f1n-pkh2
Aliases: CVE-2014-7217 GHSA-wv8g-fx9j-q2jg |
phpMyAdmin cross-site scripting Vulnerability via ENUM value Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to `libraries/TableSearch.class.php` and `libraries/Util.class.php`. |
Affected by 115 other vulnerabilities. |
|
VCID-84pb-neh5-73by
Aliases: CVE-2016-2041 GHSA-8m97-xc46-rw9w |
phpMyAdmin Unsafe comparison of XSRF/CSRF token libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-8tvp-hwm3-5ffn
Aliases: CVE-2019-11768 GHSA-x37v-98f9-mj32 |
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-8xn3-85sx-eqhk
Aliases: CVE-2011-3646 |
Affected by 145 other vulnerabilities. |
|
|
VCID-96h9-nz2g-g3be
Aliases: CVE-2016-6618 GHSA-rv6m-chvv-wmxg |
phpMyAdmin Denial of service (DOS) attack in transformation feature An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-9a76-y48q-zbeb
Aliases: CVE-2016-6619 |
Affected by 24 other vulnerabilities. |
|
|
VCID-9h1t-5fsg-bbcp
Aliases: CVE-2016-2559 GHSA-7rf8-9r8f-qf59 |
phpMyAdmin Cross-site scripting (XSS) vulnerability in SQL parser Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. |
Affected by 24 other vulnerabilities. |
|
VCID-9p62-cqz3-2kaj
Aliases: CVE-2009-1285 |
phpMyAdmin: Insufficient output sanitizing when generating configuration file fixed in 3.1.3.2 (PMASA-2009-4) |
Affected by 171 other vulnerabilities. |
|
VCID-9ycw-s1cd-gkch
Aliases: CVE-2011-0987 |
Affected by 145 other vulnerabilities. |
|
|
VCID-a63j-k9z5-nygx
Aliases: CVE-2011-2643 |
Affected by 145 other vulnerabilities. |
|
|
VCID-ahrp-z9m8-tbcs
Aliases: CVE-2014-8958 |
security update |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. Affected by 113 other vulnerabilities. |
|
VCID-amhh-5v6r-pudq
Aliases: CVE-2010-3055 |
Affected by 171 other vulnerabilities. |
|
|
VCID-aqe7-wzeb-efhg
Aliases: CVE-2007-1395 |
Affected by 190 other vulnerabilities. |
|
|
VCID-ar2s-q1ey-9ua6
Aliases: CVE-2016-9856 GHSA-j8mx-x32r-5rf4 |
Affected by 24 other vulnerabilities. |
|
|
VCID-b2mf-bz89-gfau
Aliases: CVE-2018-19968 GHSA-xc97-r49q-cxgc |
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. |
Affected by 6 other vulnerabilities. |
|
VCID-b6rz-wky4-vkfm
Aliases: CVE-2016-2038 |
Affected by 24 other vulnerabilities. |
|
|
VCID-bc59-u3jt-u3fj
Aliases: CVE-2009-1151 |
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. |
Affected by 171 other vulnerabilities. |
|
VCID-bjfy-jqvq-4ueu
Aliases: CVE-2009-3697 |
phpMyAdmin: XSS and SQL injection (PMASA-2009-6) |
Affected by 171 other vulnerabilities. |
|
VCID-bjkg-91qs-skcx
Aliases: CVE-2013-4729 GHSA-x962-w72p-mv7q |
phpMyAdmin Global variables scope injection vulnerability import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. |
Affected by 115 other vulnerabilities. |
|
VCID-bq1t-sfp3-3ye6
Aliases: CVE-2007-5386 |
Affected by 190 other vulnerabilities. |
|
|
VCID-c4mp-bzke-4bhw
Aliases: CVE-2016-6622 GHSA-qf3f-7x69-qfv3 |
phpMyAdmin DoS Vulnerability An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-chgb-rgxe-ffd5
Aliases: CVE-2016-4412 |
Affected by 115 other vulnerabilities. |
|
|
VCID-cqpd-4b3p-27hu
Aliases: CVE-2011-1940 GHSA-4q58-5x28-53wv |
phpMyAdmin Vulnerable to Cross-Site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject arbitrary web script or HTML via a crafted table name that triggers improper HTML rendering on a Tracking page, related to (1) libraries/tbl_links.inc.php and (2) tbl_tracking.php. |
Affected by 145 other vulnerabilities. |
|
VCID-cwsu-1uh4-77dz
Aliases: CVE-2016-6616 |
Affected by 24 other vulnerabilities. |
|
|
VCID-czfr-b4gq-j3cj
Aliases: CVE-2016-2561 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-czxz-y6wm-ekfj
Aliases: CVE-2020-26935 GHSA-7ff4-cv53-4cjq |
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
Affected by 6 other vulnerabilities. |
|
VCID-dpv2-3xj4-s7hm
Aliases: CVE-2016-5706 GHSA-9rmm-8fp4-26hv |
phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-drg7-e5cv-mubp
Aliases: CVE-2016-2039 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-drq8-z1qe-7ufh
Aliases: CVE-2017-1000017 GHSA-99xj-xqc9-98hr |
phpMyAdmin SSRF in replication phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server |
Affected by 24 other vulnerabilities. |
|
VCID-e3xu-5ny1-rkab
Aliases: CVE-2016-6633 GHSA-p849-vf5f-f3x7 |
Affected by 24 other vulnerabilities. |
|
|
VCID-e7wm-q3zx-xfea
Aliases: CVE-2016-6627 |
Affected by 24 other vulnerabilities. |
|
|
VCID-e8jd-au1a-93h1
Aliases: CVE-2011-2507 |
Affected by 145 other vulnerabilities. |
|
|
VCID-e8kt-2au9-x3ba
Aliases: CVE-2016-5703 |
Affected by 24 other vulnerabilities. |
|
|
VCID-e9sk-1r4g-5ycd
Aliases: CVE-2016-5099 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-e9vh-41h7-s3c7
Aliases: CVE-2013-5000 |
Affected by 115 other vulnerabilities. |
|
|
VCID-f4bk-253j-fkgv
Aliases: CVE-2015-7873 GHSA-5pmg-qh2c-7j24 |
phpMyAdmin allows remote attackers to spoof content via the url parameter The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-f7s2-6bk2-j7c9
Aliases: CVE-2016-6617 |
Affected by 24 other vulnerabilities. |
|
|
VCID-fcjt-pzd8-cugv
Aliases: CVE-2014-8960 |
Affected by 115 other vulnerabilities. |
|
|
VCID-ffb3-yvpv-kkds
Aliases: CVE-2013-4996 |
security update |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-fhk8-rvr9-zbfy
Aliases: CVE-2016-9862 |
Affected by 24 other vulnerabilities. |
|
|
VCID-fsnr-wav4-7ye4
Aliases: CVE-2007-5977 |
XSS in db_create |
Affected by 190 other vulnerabilities. |
|
VCID-fsw3-zq48-s3bh
Aliases: CVE-2016-5701 GHSA-rh74-5835-jpxp |
phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-g3kg-m6d9-f3b8
Aliases: CVE-2009-1150 |
phpMyAdmin: multiple security fixes in 3.1.3.1 (PMASA-2009-{1,2,3}) |
Affected by 171 other vulnerabilities. |
|
VCID-g5fx-sqr6-3bba
Aliases: CVE-2016-9865 |
Affected by 24 other vulnerabilities. |
|
|
VCID-g67g-ycx6-ebat
Aliases: CVE-2017-18264 GHSA-5868-g58j-vrj5 |
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument. |
Affected by 24 other vulnerabilities. |
|
VCID-g6sw-q4fn-kfd5
Aliases: CVE-2011-3181 |
Affected by 145 other vulnerabilities. |
|
|
VCID-gb76-cwhk-6qbf
Aliases: CVE-2010-3056 |
Affected by 171 other vulnerabilities. |
|
|
VCID-gce6-e4d3-gkge
Aliases: CVE-2014-5274 GHSA-q586-xpwr-jc3j |
phpMyAdmin cross-site scripting vulnerability in crafted view name A cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to `js/functions.js`. |
Affected by 115 other vulnerabilities. |
|
VCID-gee5-junk-b3b2
Aliases: CVE-2025-24529 |
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. |
Affected by 0 other vulnerabilities. |
|
VCID-ghn4-f8u3-gyfg
Aliases: CVE-2010-4329 |
Affected by 171 other vulnerabilities. |
|
|
VCID-gq22-5t5e-9uat
Aliases: CVE-2011-2642 |
Affected by 145 other vulnerabilities. |
|
|
VCID-graz-hcmd-xba1
Aliases: CVE-2008-3457 |
Affected by 190 other vulnerabilities. |
|
|
VCID-h2kv-mwcb-wbcq
Aliases: CVE-2007-2245 |
Affected by 190 other vulnerabilities. |
|
|
VCID-hdce-qvrp-fqcg
Aliases: CVE-2020-22452 GHSA-prcg-mc23-hgjh |
phpmyadmin contains SQL Injection vulnerability SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.0.2 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. |
Affected by 6 other vulnerabilities. |
|
VCID-htbx-3nkc-53gf
Aliases: CVE-2007-1325 |
Affected by 190 other vulnerabilities. |
|
|
VCID-hy45-dt9r-y3a2
Aliases: CVE-2016-6612 GHSA-fcgm-62p3-f7cm |
phpMyAdmin Local file exposure An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jbs5-da9z-ske9
Aliases: CVE-2019-6799 GHSA-c8wj-q36q-3wg4 |
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. |
Affected by 6 other vulnerabilities. |
|
VCID-jhw2-nsk6-pqcx
Aliases: CVE-2012-1190 |
Affected by 145 other vulnerabilities. |
|
|
VCID-jjfk-u9s4-97hp
Aliases: CVE-2011-2508 GHSA-q6vw-39cg-wjjf |
phpMyAdmin Directory Traversal vulnerability Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter. |
Affected by 145 other vulnerabilities. |
|
VCID-jmh7-efse-p3hk
Aliases: CVE-2016-5097 |
Affected by 24 other vulnerabilities. |
|
|
VCID-ju3y-1w37-auax
Aliases: CVE-2014-8959 |
Affected by 115 other vulnerabilities. |
|
|
VCID-jwbb-tmzj-4qhb
Aliases: CVE-2015-8669 |
Affected by 24 other vulnerabilities. |
|
|
VCID-jxqx-dh1t-eua2
Aliases: CVE-2016-6624 GHSA-mhxj-6vf8-mwv3 |
phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jxyw-xfmx-s7h4
Aliases: CVE-2011-4780 |
Affected by 145 other vulnerabilities. |
|
|
VCID-jzcm-zdxr-pyhc
Aliases: CVE-2018-7260 GHSA-gqmj-f46x-wqhw |
Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
Affected by 6 other vulnerabilities. |
|
VCID-k6nf-sde9-u7f4
Aliases: CVE-2014-4349 |
phpMyAdmin: Self-XSS due to unescaped HTML output in navigation items hiding feature |
Affected by 115 other vulnerabilities. |
|
VCID-kfee-bu9e-ryet
Aliases: CVE-2016-9855 |
Affected by 24 other vulnerabilities. |
|
|
VCID-kw8w-rzsv-x7aq
Aliases: CVE-2016-9851 GHSA-r2vw-p77f-vc27 |
Affected by 24 other vulnerabilities. |
|
|
VCID-kzr5-ef5h-dfbr
Aliases: CVE-2016-6613 GHSA-6j2v-g9rg-qcm5 |
Affected by 24 other vulnerabilities. |
|
|
VCID-m59a-5uea-rfa9
Aliases: CVE-2016-5734 GHSA-rv57-479x-x4qv |
phpMyAdmin Code Injection vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. |
Affected by 24 other vulnerabilities. |
|
VCID-m8yx-dpuh-jqau
Aliases: CVE-2018-19969 GHSA-xwf2-53mc-r8hx |
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. |
Affected by 6 other vulnerabilities. |
|
VCID-mha9-eymv-9bgc
Aliases: CVE-2008-7252 GHSA-9645-6g72-2pv8 |
phpMyAdmin unsafely handles temporary files `libraries/File.class.php` in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors. |
Affected by 171 other vulnerabilities. |
|
VCID-mtvz-3r6z-33bk
Aliases: CVE-2019-19617 GHSA-pgph-mc4p-f8c3 |
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php. |
Affected by 6 other vulnerabilities. |
|
VCID-n6tc-38md-yug7
Aliases: CVE-2016-6615 |
Affected by 24 other vulnerabilities. |
|
|
VCID-n8y2-72jh-hues
Aliases: CVE-2008-2960 |
phpMyAdmin: XSS on plausible insecure PHP installation (PMASA-2008-4) |
Affected by 190 other vulnerabilities. |
|
VCID-nhd3-1zpa-ekfa
Aliases: CVE-2005-4349 |
SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450 |
Affected by 171 other vulnerabilities. |
|
VCID-nhqn-h1hc-73da
Aliases: CVE-2020-26934 GHSA-6349-53vr-7hcr |
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. |
Affected by 6 other vulnerabilities. |
|
VCID-nk4s-8ryt-r7a1
Aliases: CVE-2014-4955 |
Affected by 115 other vulnerabilities. |
|
|
VCID-nmus-bk41-qfbq
Aliases: CVE-2016-1927 GHSA-4gmg-gwjh-3mmr |
phpMyAdmin Cryptographic Vulnerability The `suggestPassword` function in `js/functions.js` in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the `Math.random` JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-nv2g-h4vb-d7cg
Aliases: CVE-2014-1879 |
security update |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-nv63-x4p5-tugf
Aliases: CVE-2015-2206 |
security update |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-nvq3-kpr4-tygg
Aliases: CVE-2014-4348 |
phpMyAdmin: Self-XSS due to unescaped HTML output in recent/favorite tables navigation |
Affected by 115 other vulnerabilities. |
|
VCID-nw94-xevj-tba8
Aliases: CVE-2020-10804 GHSA-h65r-8fp8-w7cx |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). |
Affected by 6 other vulnerabilities. |
|
VCID-p36b-cnss-rudu
Aliases: CVE-2008-3456 |
phpMyAdmin: Cross-site Framing; XSS in setup.php (PMASA-2008-6 - CVE-2008-3456, CVE-2008-3457) |
Affected by 190 other vulnerabilities. |
|
VCID-p5pc-qgwf-23ag
Aliases: CVE-2015-3903 |
security update |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-p8pa-decy-57a7
Aliases: CVE-2008-4326 |
phpMyAdmin: XSS in MSIE using NUL byte |
Affected by 190 other vulnerabilities. |
|
VCID-p8xn-tscc-4qhu
Aliases: CVE-2017-1000015 GHSA-3fgq-cmr4-97rr |
Affected by 24 other vulnerabilities. |
|
|
VCID-p95j-37xp-pqbg
Aliases: CVE-2014-9219 |
Affected by 115 other vulnerabilities. |
|
|
VCID-pgp8-88t4-m7a6
Aliases: CVE-2009-3696 GHSA-5pvv-f8h3-gw96 |
phpMyAdmin Cross-site Scripting In MySQL Table Name Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table. |
Affected by 171 other vulnerabilities. |
|
VCID-q5fb-upnt-7fdh
Aliases: CVE-2012-4219 |
Affected by 115 other vulnerabilities. |
|
|
VCID-qatj-cpgn-pbgv
Aliases: CVE-2007-6100 |
Affected by 190 other vulnerabilities. |
|
|
VCID-qfq1-gecz-cuf1
Aliases: CVE-2011-3591 GHSA-3p87-w3c5-27gf |
phpMyAdmin Multiple XSS Vulnerabilities After Inline Editing and Save Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted row that triggers an improperly constructed confirmation message after inline-editing and save operations, related to (1) `js/functions.js` and (2) `js/tbl_structure.js`. |
Affected by 145 other vulnerabilities. |
|
VCID-qhn7-b1w4-vkfn
Aliases: CVE-2016-5739 GHSA-2p7v-jm8m-g3qq |
phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-qkag-45nb-aybv
Aliases: CVE-2020-5504 GHSA-fgj8-93xx-f6g6 |
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. |
Affected by 6 other vulnerabilities. |
|
VCID-qmfr-5d3y-27au
Aliases: CVE-2016-6609 GHSA-wpww-hx7x-xfjh |
Affected by 24 other vulnerabilities. |
|
|
VCID-qnj8-vd73-sbbx
Aliases: CVE-2009-2284 |
phpMyAdmin: XSS: Insufficient output sanitizing in bookmarks (PMASA-2009-5) |
Affected by 171 other vulnerabilities. |
|
VCID-qqt9-hgf5-nkfp
Aliases: CVE-2016-2045 |
Affected by 24 other vulnerabilities. |
|
|
VCID-qu34-hevh-v3a9
Aliases: CVE-2016-6621 GHSA-44vv-mm86-7cg6 |
phpMyAdmin server-side request forgery (SSRF) The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-qvb8-x5h7-1kax
Aliases: CVE-2016-9857 GHSA-hmmx-wxh4-9w8w |
Affected by 24 other vulnerabilities. |
|
|
VCID-qxgd-ufvd-nue7
Aliases: CVE-2016-2040 GHSA-pw34-qf6c-84fc |
phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-qzk4-3xtf-r3g4
Aliases: CVE-2012-4345 GHSA-r3pq-mp8v-cp33 |
phpMyAdmin Multiple Cross-site Scripting Vulnerabilities in the Database Structure page Multiple cross-site scripting (XSS) vulnerabilities in the Database Structure page in phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name. |
Affected by 145 other vulnerabilities. |
|
VCID-r3az-36ru-jbhv
Aliases: CVE-2016-2562 GHSA-w8qg-j9fp-hrjf |
phpMyAdmin Improper Input Validation The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. |
Affected by 24 other vulnerabilities. |
|
VCID-r7gb-sdkq-kfc6
Aliases: CVE-2011-2505 GHSA-vqcm-r62w-w437 |
phpMyAdmin remote variable manipulation `libraries/auth/swekey/swekey.auth.lib.php` in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the `SESSION` superglobal array via a crafted request, related to a "remote variable manipulation vulnerability." |
Affected by 145 other vulnerabilities. |
|
VCID-rby8-8wrn-h7df
Aliases: CVE-2014-6300 GHSA-6wfj-2mw7-p5cg |
phpMyAdmin micro history Implementation XSS Vulnerability Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. |
Affected by 115 other vulnerabilities. |
|
VCID-rhpe-t27g-xycn
Aliases: CVE-2016-2044 |
Affected by 24 other vulnerabilities. |
|
|
VCID-rjt3-we76-6bcs
Aliases: CVE-2008-1149 |
phpMyAdmin 2.11.5 contains a security fix |
Affected by 190 other vulnerabilities. |
|
VCID-rqvv-7dvy-dqfd
Aliases: CVE-2016-9860 GHSA-3hw5-fffc-qrg4 |
Affected by 24 other vulnerabilities. |
|
|
VCID-rs9g-rj3u-1bfy
Aliases: CVE-2016-9861 GHSA-r326-mp8g-6xfc |
Affected by 24 other vulnerabilities. |
|
|
VCID-rspx-kym8-xydx
Aliases: CVE-2016-5730 GHSA-wm9c-vcv2-vpqc |
phpMyAdmin full path disclosure vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-rsrn-hcvf-8qhp
Aliases: CVE-2011-2506 GHSA-p6h7-29r2-g88f |
phpMyAdmin vulnerable to static code injection `setup/lib/ConfigGenerator.class.php` in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. |
Affected by 145 other vulnerabilities. |
|
VCID-rxxw-3759-efcb
Aliases: CVE-2019-12616 GHSA-mfr9-pcm3-6mwc |
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. |
Affected by 6 other vulnerabilities. |
|
VCID-s7c3-41mx-6qhh
Aliases: CVE-2008-1924 |
phpMyAdmin: Permission/information leak to access with apache rights |
Affected by 190 other vulnerabilities. |
|
VCID-sbf9-au5e-t7h6
Aliases: CVE-2016-6606 |
Affected by 24 other vulnerabilities. |
|
|
VCID-scm4-rffy-gqc1
Aliases: CVE-2014-9218 |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. Affected by 113 other vulnerabilities. |
|
|
VCID-sebu-s9pz-syf7
Aliases: CVE-2008-5621 |
phpMyAdmin: SQL injection through XSRF on several pages (PMASA-2008-10) |
Affected by 190 other vulnerabilities. |
|
VCID-smb4-qca5-ybaw
Aliases: CVE-2013-5003 |
security update |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-swg9-atpm-ryg1
Aliases: CVE-2013-4999 |
Affected by 115 other vulnerabilities. |
|
|
VCID-t6vn-7ar4-vyde
Aliases: CVE-2014-8961 |
Affected by 115 other vulnerabilities. |
|
|
VCID-tf98-r4qe-fkfn
Aliases: CVE-2010-4480 |
Affected by 171 other vulnerabilities. |
|
|
VCID-trqy-sz24-vqfn
Aliases: CVE-2014-4987 |
Affected by 115 other vulnerabilities. |
|
|
VCID-tsxh-g8p7-pqag
Aliases: CVE-2014-4954 |
Affected by 115 other vulnerabilities. |
|
|
VCID-tuac-cwdp-fycg
Aliases: CVE-2016-6626 |
Affected by 24 other vulnerabilities. |
|
|
VCID-tx6k-19sr-2kh3
Aliases: CVE-2017-1000016 GHSA-j2cq-h6v2-f875 |
phpMyAdmin Cookie attribute injection attack A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
Affected by 24 other vulnerabilities. |
|
VCID-txdw-6pp4-4bes
Aliases: CVE-2016-6631 |
Affected by 24 other vulnerabilities. |
|
|
VCID-tzn2-z2yc-7ue7
Aliases: CVE-2013-5002 GHSA-p632-5w74-x8xx |
phpMyAdmin Cross-site scripting (XSS) vulnerability via pageNumber value Cross-site scripting (XSS) vulnerability in `libraries/schema/Export_Relation_Schema.class.php` in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. |
Affected by 145 other vulnerabilities. Affected by 115 other vulnerabilities. |
|
VCID-u2js-dkmt-h3fc
Aliases: CVE-2018-10188 GHSA-v6fp-h79x-9rqc |
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php. |
Affected by 6 other vulnerabilities. |
|
VCID-u6cb-a35s-8yaf
Aliases: CVE-2019-18622 GHSA-jgjc-332c-8cmc |
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-u6jq-4avw-zub5
Aliases: CVE-2015-3902 |
security update |
Affected by 145 other vulnerabilities. Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-uadb-pet6-rkaz
Aliases: CVE-2008-4096 |
phpMyAdmin: Code execution vulnerability (< 2.11.9.1) |
Affected by 190 other vulnerabilities. |
|
VCID-uwyk-mz9s-47b3
Aliases: CVE-2013-5029 |
Affected by 115 other vulnerabilities. |
|
|
VCID-uzqr-vej5-83gu
Aliases: CVE-2009-4605 |
phpMyAdmin 2.x multiple vulnerabilities |
Affected by 171 other vulnerabilities. |
|
VCID-v3xe-8zk4-q3gm
Aliases: CVE-2016-5702 GHSA-xqw9-ffx7-g998 |
phpMyAdmin cookie-attribute injection phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. |
Affected by 24 other vulnerabilities. |
|
VCID-v9xv-p3aa-kyfm
Aliases: CVE-2011-4064 |
Affected by 145 other vulnerabilities. |
|
|
VCID-vf18-jwgj-guhn
Aliases: CVE-2018-19970 GHSA-8987-93fh-rcwq |
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name. |
Affected by 6 other vulnerabilities. |
|
VCID-vhu1-psag-gkgc
Aliases: CVE-2016-6630 |
Affected by 24 other vulnerabilities. |
|
|
VCID-vrnj-k5mr-23gp
Aliases: CVE-2016-6611 |
Affected by 24 other vulnerabilities. |
|
|
VCID-wc6c-curv-cqa5
Aliases: CVE-2009-1148 |
phpMyAdmin: multiple security fixes in 3.1.3.1 (PMASA-2009-{1,2,3}) |
Affected by 171 other vulnerabilities. |
|
VCID-weje-ut8w-3fh9
Aliases: CVE-2023-25727 GHSA-6hr3-44gx-g6wh |
Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-wgv2-kxrx-1qcz
Aliases: CVE-2016-9859 |
Affected by 24 other vulnerabilities. |
|
|
VCID-wu7r-kc8u-mubh
Aliases: CVE-2016-9854 |
Affected by 24 other vulnerabilities. |
|
|
VCID-x1d8-mzdj-wbhw
Aliases: CVE-2016-6614 |
Affected by 24 other vulnerabilities. |
|
|
VCID-x4xq-zycy-sfd5
Aliases: CVE-2016-5732 GHSA-3q28-xfw3-2q35 |
phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in `templates/table/structure/display_partitions.phtml` in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. |
Affected by 24 other vulnerabilities. |
|
VCID-x7gr-hgqa-2uek
Aliases: CVE-2020-10803 GHSA-fcww-8wvc-38q9 |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. |
Affected by 6 other vulnerabilities. |
|
VCID-xn5r-tzjc-bqcg
Aliases: CVE-2016-2042 |
phpMyAdmin: Multiple full path disclosure vulnerabilities (PMASA-2016-6) |
Affected by 24 other vulnerabilities. |
|
VCID-xrnq-v6ph-97hn
Aliases: CVE-2016-9847 GHSA-9xhq-pm7v-693p |
Affected by 24 other vulnerabilities. |
|
|
VCID-xwep-f5r7-ryhj
Aliases: CVE-2016-6620 |
Affected by 24 other vulnerabilities. |
|
|
VCID-yj3k-52pf-w3e9
Aliases: CVE-2011-4634 GHSA-9j9h-cpgc-8356 |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog. |
Affected by 145 other vulnerabilities. |
|
VCID-ysy7-psez-cbhq
Aliases: CVE-2015-8980 |
The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. |
Affected by 24 other vulnerabilities. |
|
VCID-yvwv-ebhn-x3g5
Aliases: CVE-2016-6625 GHSA-r643-7xfg-ppc5 |
phpMyAdmin allows to detect if user is logged in An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-ywx4-k59s-kyfw
Aliases: CVE-2018-12581 GHSA-vxj6-pm6r-23hq |
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-z37z-773u-2fd7
Aliases: CVE-2016-6632 GHSA-426q-975p-w5cr |
Affected by 24 other vulnerabilities. |
|
|
VCID-zeb7-vr2y-8qgg
Aliases: CVE-2011-0986 GHSA-wcmm-28rg-mg3r |
phpMyAdmin allows remote attackers to obtain installation path via direct request for nonexistent file phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. |
Affected by 145 other vulnerabilities. |
|
VCID-zhem-w1eh-pydp
Aliases: CVE-2013-3742 |
Affected by 115 other vulnerabilities. |
|
|
VCID-zjy7-eubd-1qbz
Aliases: CVE-2016-6623 GHSA-2mcj-3r3r-v5wm |
Affected by 24 other vulnerabilities. |
|
|
VCID-zv6a-mj99-p7az
Aliases: CVE-2020-10802 GHSA-f4cr-3xmc-2wpm |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. |
Affected by 6 other vulnerabilities. |
|
VCID-zxus-a2uc-aqe8
Aliases: CVE-2017-1000014 GHSA-9hrc-rwrq-v6mh |
Affected by 24 other vulnerabilities. |