Search for packages
| purl | pkg:deb/debian/phpmyadmin@4:4.2.12-2 |
| Next non-vulnerable version | 4:5.2.1+dfsg-1+deb12u1 |
| Latest non-vulnerable version | 4:5.2.1+dfsg-1+deb12u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17ng-yksd-eybe
Aliases: CVE-2019-6798 GHSA-f732-fxh6-g4qj |
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-1dgw-1ueg-sudt
Aliases: CVE-2019-12922 GHSA-4c9q-64gq-xhx4 |
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. |
Affected by 6 other vulnerabilities. |
|
VCID-1jfu-df2q-duhz
Aliases: CVE-2016-9858 |
Affected by 24 other vulnerabilities. |
|
|
VCID-1kme-6s76-k3es
Aliases: CVE-2016-5705 GHSA-6q2j-8h8q-46mr |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-1psm-e1bq-rqg1
Aliases: CVE-2016-9850 |
Affected by 24 other vulnerabilities. |
|
|
VCID-1v5y-zvte-tugk
Aliases: CVE-2016-9852 |
Affected by 24 other vulnerabilities. |
|
|
VCID-1wkj-35wu-73gj
Aliases: CVE-2021-21252 GHSA-jxwx-85vp-gvwm |
Regular Expression Denial of Service in jquery-validation The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation. The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service) This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen). |
Affected by 6 other vulnerabilities. |
|
VCID-23az-qkmn-gbe3
Aliases: CVE-2025-24530 GHSA-222v-cx2c-q2f5 |
phpMyAdmin XSS when checking tables An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. |
Affected by 0 other vulnerabilities. |
|
VCID-2739-kr2f-fbd8
Aliases: CVE-2016-5731 GHSA-mwm8-36c5-j5cf |
phpMyAdmin Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-2w3y-zh4u-bkgf
Aliases: CVE-2016-9864 |
Affected by 24 other vulnerabilities. |
|
|
VCID-2x7w-vq7h-jfcu
Aliases: CVE-2016-9853 GHSA-rmmf-5xhh-gg27 |
Affected by 24 other vulnerabilities. |
|
|
VCID-2xx7-djgx-j7ap
Aliases: CVE-2016-2043 |
Affected by 24 other vulnerabilities. |
|
|
VCID-3493-p7bx-pfbz
Aliases: CVE-2016-9848 |
Affected by 24 other vulnerabilities. |
|
|
VCID-35nm-8pfp-mkaq
Aliases: CVE-2016-9866 GHSA-jvxx-8xxf-5495 |
Affected by 24 other vulnerabilities. |
|
|
VCID-3jkz-zdy6-n7dz
Aliases: CVE-2016-5704 GHSA-gcvp-cwgw-wx8j |
phpMyAdmin XSS Vulnerability Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. |
Affected by 24 other vulnerabilities. |
|
VCID-43mn-rf4g-ayg6
Aliases: CVE-2016-6608 GHSA-jfmj-27fp-qp67 |
phpMyAdmin Cross-site Scripting (XSS) XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-49vs-6j8s-pkey
Aliases: CVE-2015-6830 GHSA-v6fh-vg22-r6cm |
phpMyAdmin ReCaptcha bypass libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-4k9b-4mxz-87e5
Aliases: CVE-2016-6629 GHSA-567r-vqj7-5cw7 |
phpMyAdmin Authentication Bypass An issue was discovered in phpMyAdmin involving the `$cfg['ArbitraryServerRegexp']` configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-56x2-cfhw-6kcx
Aliases: CVE-2016-6607 |
Affected by 24 other vulnerabilities. |
|
|
VCID-5bk1-q3nj-6qef
Aliases: CVE-2016-5733 GHSA-cr65-p662-fx5c |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-5kds-ef23-g7dm
Aliases: CVE-2016-2560 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-5qej-xfah-1kaa
Aliases: CVE-2016-6628 GHSA-phhm-63xx-v9rr |
Affected by 24 other vulnerabilities. |
|
|
VCID-5x6h-hhj1-5uab
Aliases: CVE-2016-9863 GHSA-qgrq-64g6-mmh6 |
Affected by 24 other vulnerabilities. |
|
|
VCID-6j1s-geef-pfb6
Aliases: CVE-2017-1000018 GHSA-47qr-f86f-3wm4 |
phpMyAdmin DoS Vulnerability phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
Affected by 24 other vulnerabilities. |
|
VCID-7r2d-sfax-4ycd
Aliases: CVE-2016-6610 |
Affected by 24 other vulnerabilities. |
|
|
VCID-7r2d-wwa7-v3dp
Aliases: CVE-2016-9849 |
Affected by 24 other vulnerabilities. |
|
|
VCID-7udu-bp8s-t7es
Aliases: CVE-2017-1000013 GHSA-5h5m-fj48-qpjw |
phpMyAdmin Open Redirect phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
Affected by 24 other vulnerabilities. |
|
VCID-84pb-neh5-73by
Aliases: CVE-2016-2041 GHSA-8m97-xc46-rw9w |
phpMyAdmin Unsafe comparison of XSRF/CSRF token libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-8tvp-hwm3-5ffn
Aliases: CVE-2019-11768 GHSA-x37v-98f9-mj32 |
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-96h9-nz2g-g3be
Aliases: CVE-2016-6618 GHSA-rv6m-chvv-wmxg |
phpMyAdmin Denial of service (DOS) attack in transformation feature An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-9a76-y48q-zbeb
Aliases: CVE-2016-6619 |
Affected by 24 other vulnerabilities. |
|
|
VCID-9h1t-5fsg-bbcp
Aliases: CVE-2016-2559 GHSA-7rf8-9r8f-qf59 |
phpMyAdmin Cross-site scripting (XSS) vulnerability in SQL parser Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. |
Affected by 24 other vulnerabilities. |
|
VCID-ahrp-z9m8-tbcs
Aliases: CVE-2014-8958 |
security update |
Affected by 113 other vulnerabilities. |
|
VCID-ar2s-q1ey-9ua6
Aliases: CVE-2016-9856 GHSA-j8mx-x32r-5rf4 |
Affected by 24 other vulnerabilities. |
|
|
VCID-b2mf-bz89-gfau
Aliases: CVE-2018-19968 GHSA-xc97-r49q-cxgc |
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. |
Affected by 6 other vulnerabilities. |
|
VCID-b6rz-wky4-vkfm
Aliases: CVE-2016-2038 |
Affected by 24 other vulnerabilities. |
|
|
VCID-c4mp-bzke-4bhw
Aliases: CVE-2016-6622 GHSA-qf3f-7x69-qfv3 |
phpMyAdmin DoS Vulnerability An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-cwsu-1uh4-77dz
Aliases: CVE-2016-6616 |
Affected by 24 other vulnerabilities. |
|
|
VCID-czfr-b4gq-j3cj
Aliases: CVE-2016-2561 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-czxz-y6wm-ekfj
Aliases: CVE-2020-26935 GHSA-7ff4-cv53-4cjq |
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
Affected by 6 other vulnerabilities. |
|
VCID-dpv2-3xj4-s7hm
Aliases: CVE-2016-5706 GHSA-9rmm-8fp4-26hv |
phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-drg7-e5cv-mubp
Aliases: CVE-2016-2039 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-drq8-z1qe-7ufh
Aliases: CVE-2017-1000017 GHSA-99xj-xqc9-98hr |
phpMyAdmin SSRF in replication phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server |
Affected by 24 other vulnerabilities. |
|
VCID-e3xu-5ny1-rkab
Aliases: CVE-2016-6633 GHSA-p849-vf5f-f3x7 |
Affected by 24 other vulnerabilities. |
|
|
VCID-e7wm-q3zx-xfea
Aliases: CVE-2016-6627 |
Affected by 24 other vulnerabilities. |
|
|
VCID-e8kt-2au9-x3ba
Aliases: CVE-2016-5703 |
Affected by 24 other vulnerabilities. |
|
|
VCID-e9sk-1r4g-5ycd
Aliases: CVE-2016-5099 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-f4bk-253j-fkgv
Aliases: CVE-2015-7873 GHSA-5pmg-qh2c-7j24 |
phpMyAdmin allows remote attackers to spoof content via the url parameter The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-f7s2-6bk2-j7c9
Aliases: CVE-2016-6617 |
Affected by 24 other vulnerabilities. |
|
|
VCID-fhk8-rvr9-zbfy
Aliases: CVE-2016-9862 |
Affected by 24 other vulnerabilities. |
|
|
VCID-fsw3-zq48-s3bh
Aliases: CVE-2016-5701 GHSA-rh74-5835-jpxp |
phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-g5fx-sqr6-3bba
Aliases: CVE-2016-9865 |
Affected by 24 other vulnerabilities. |
|
|
VCID-g67g-ycx6-ebat
Aliases: CVE-2017-18264 GHSA-5868-g58j-vrj5 |
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument. |
Affected by 24 other vulnerabilities. |
|
VCID-gee5-junk-b3b2
Aliases: CVE-2025-24529 |
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. |
Affected by 0 other vulnerabilities. |
|
VCID-hdce-qvrp-fqcg
Aliases: CVE-2020-22452 GHSA-prcg-mc23-hgjh |
phpmyadmin contains SQL Injection vulnerability SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.0.2 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. |
Affected by 6 other vulnerabilities. |
|
VCID-hy45-dt9r-y3a2
Aliases: CVE-2016-6612 GHSA-fcgm-62p3-f7cm |
phpMyAdmin Local file exposure An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jbs5-da9z-ske9
Aliases: CVE-2019-6799 GHSA-c8wj-q36q-3wg4 |
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. |
Affected by 6 other vulnerabilities. |
|
VCID-jmh7-efse-p3hk
Aliases: CVE-2016-5097 |
Affected by 24 other vulnerabilities. |
|
|
VCID-jwbb-tmzj-4qhb
Aliases: CVE-2015-8669 |
Affected by 24 other vulnerabilities. |
|
|
VCID-jxqx-dh1t-eua2
Aliases: CVE-2016-6624 GHSA-mhxj-6vf8-mwv3 |
phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-jzcm-zdxr-pyhc
Aliases: CVE-2018-7260 GHSA-gqmj-f46x-wqhw |
Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
Affected by 6 other vulnerabilities. |
|
VCID-kfee-bu9e-ryet
Aliases: CVE-2016-9855 |
Affected by 24 other vulnerabilities. |
|
|
VCID-kw8w-rzsv-x7aq
Aliases: CVE-2016-9851 GHSA-r2vw-p77f-vc27 |
Affected by 24 other vulnerabilities. |
|
|
VCID-kzr5-ef5h-dfbr
Aliases: CVE-2016-6613 GHSA-6j2v-g9rg-qcm5 |
Affected by 24 other vulnerabilities. |
|
|
VCID-m59a-5uea-rfa9
Aliases: CVE-2016-5734 GHSA-rv57-479x-x4qv |
phpMyAdmin Code Injection vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. |
Affected by 24 other vulnerabilities. |
|
VCID-m8yx-dpuh-jqau
Aliases: CVE-2018-19969 GHSA-xwf2-53mc-r8hx |
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. |
Affected by 6 other vulnerabilities. |
|
VCID-mtvz-3r6z-33bk
Aliases: CVE-2019-19617 GHSA-pgph-mc4p-f8c3 |
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php. |
Affected by 6 other vulnerabilities. |
|
VCID-n6tc-38md-yug7
Aliases: CVE-2016-6615 |
Affected by 24 other vulnerabilities. |
|
|
VCID-nhqn-h1hc-73da
Aliases: CVE-2020-26934 GHSA-6349-53vr-7hcr |
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. |
Affected by 6 other vulnerabilities. |
|
VCID-nmus-bk41-qfbq
Aliases: CVE-2016-1927 GHSA-4gmg-gwjh-3mmr |
phpMyAdmin Cryptographic Vulnerability The `suggestPassword` function in `js/functions.js` in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the `Math.random` JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-nv63-x4p5-tugf
Aliases: CVE-2015-2206 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-nw94-xevj-tba8
Aliases: CVE-2020-10804 GHSA-h65r-8fp8-w7cx |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). |
Affected by 6 other vulnerabilities. |
|
VCID-p5pc-qgwf-23ag
Aliases: CVE-2015-3903 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-p8xn-tscc-4qhu
Aliases: CVE-2017-1000015 GHSA-3fgq-cmr4-97rr |
Affected by 24 other vulnerabilities. |
|
|
VCID-qhn7-b1w4-vkfn
Aliases: CVE-2016-5739 GHSA-2p7v-jm8m-g3qq |
phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-qkag-45nb-aybv
Aliases: CVE-2020-5504 GHSA-fgj8-93xx-f6g6 |
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. |
Affected by 6 other vulnerabilities. |
|
VCID-qmfr-5d3y-27au
Aliases: CVE-2016-6609 GHSA-wpww-hx7x-xfjh |
Affected by 24 other vulnerabilities. |
|
|
VCID-qqt9-hgf5-nkfp
Aliases: CVE-2016-2045 |
Affected by 24 other vulnerabilities. |
|
|
VCID-qu34-hevh-v3a9
Aliases: CVE-2016-6621 GHSA-44vv-mm86-7cg6 |
phpMyAdmin server-side request forgery (SSRF) The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-qvb8-x5h7-1kax
Aliases: CVE-2016-9857 GHSA-hmmx-wxh4-9w8w |
Affected by 24 other vulnerabilities. |
|
|
VCID-qxgd-ufvd-nue7
Aliases: CVE-2016-2040 GHSA-pw34-qf6c-84fc |
phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-r3az-36ru-jbhv
Aliases: CVE-2016-2562 GHSA-w8qg-j9fp-hrjf |
phpMyAdmin Improper Input Validation The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. |
Affected by 24 other vulnerabilities. |
|
VCID-rhpe-t27g-xycn
Aliases: CVE-2016-2044 |
Affected by 24 other vulnerabilities. |
|
|
VCID-rqvv-7dvy-dqfd
Aliases: CVE-2016-9860 GHSA-3hw5-fffc-qrg4 |
Affected by 24 other vulnerabilities. |
|
|
VCID-rs9g-rj3u-1bfy
Aliases: CVE-2016-9861 GHSA-r326-mp8g-6xfc |
Affected by 24 other vulnerabilities. |
|
|
VCID-rspx-kym8-xydx
Aliases: CVE-2016-5730 GHSA-wm9c-vcv2-vpqc |
phpMyAdmin full path disclosure vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. |
Affected by 24 other vulnerabilities. |
|
VCID-rxxw-3759-efcb
Aliases: CVE-2019-12616 GHSA-mfr9-pcm3-6mwc |
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. |
Affected by 6 other vulnerabilities. |
|
VCID-sbf9-au5e-t7h6
Aliases: CVE-2016-6606 |
Affected by 24 other vulnerabilities. |
|
|
VCID-scm4-rffy-gqc1
Aliases: CVE-2014-9218 |
Affected by 113 other vulnerabilities. |
|
|
VCID-tuac-cwdp-fycg
Aliases: CVE-2016-6626 |
Affected by 24 other vulnerabilities. |
|
|
VCID-tx6k-19sr-2kh3
Aliases: CVE-2017-1000016 GHSA-j2cq-h6v2-f875 |
phpMyAdmin Cookie attribute injection attack A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
Affected by 24 other vulnerabilities. |
|
VCID-txdw-6pp4-4bes
Aliases: CVE-2016-6631 |
Affected by 24 other vulnerabilities. |
|
|
VCID-u2js-dkmt-h3fc
Aliases: CVE-2018-10188 GHSA-v6fp-h79x-9rqc |
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php. |
Affected by 6 other vulnerabilities. |
|
VCID-u6cb-a35s-8yaf
Aliases: CVE-2019-18622 GHSA-jgjc-332c-8cmc |
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-u6jq-4avw-zub5
Aliases: CVE-2015-3902 |
security update |
Affected by 113 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-v3xe-8zk4-q3gm
Aliases: CVE-2016-5702 GHSA-xqw9-ffx7-g998 |
phpMyAdmin cookie-attribute injection phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. |
Affected by 24 other vulnerabilities. |
|
VCID-vf18-jwgj-guhn
Aliases: CVE-2018-19970 GHSA-8987-93fh-rcwq |
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name. |
Affected by 6 other vulnerabilities. |
|
VCID-vhu1-psag-gkgc
Aliases: CVE-2016-6630 |
Affected by 24 other vulnerabilities. |
|
|
VCID-vrnj-k5mr-23gp
Aliases: CVE-2016-6611 |
Affected by 24 other vulnerabilities. |
|
|
VCID-weje-ut8w-3fh9
Aliases: CVE-2023-25727 GHSA-6hr3-44gx-g6wh |
Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-wgv2-kxrx-1qcz
Aliases: CVE-2016-9859 |
Affected by 24 other vulnerabilities. |
|
|
VCID-wu7r-kc8u-mubh
Aliases: CVE-2016-9854 |
Affected by 24 other vulnerabilities. |
|
|
VCID-x1d8-mzdj-wbhw
Aliases: CVE-2016-6614 |
Affected by 24 other vulnerabilities. |
|
|
VCID-x4xq-zycy-sfd5
Aliases: CVE-2016-5732 GHSA-3q28-xfw3-2q35 |
phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in `templates/table/structure/display_partitions.phtml` in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. |
Affected by 24 other vulnerabilities. |
|
VCID-x7gr-hgqa-2uek
Aliases: CVE-2020-10803 GHSA-fcww-8wvc-38q9 |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. |
Affected by 6 other vulnerabilities. |
|
VCID-xn5r-tzjc-bqcg
Aliases: CVE-2016-2042 |
phpMyAdmin: Multiple full path disclosure vulnerabilities (PMASA-2016-6) |
Affected by 24 other vulnerabilities. |
|
VCID-xrnq-v6ph-97hn
Aliases: CVE-2016-9847 GHSA-9xhq-pm7v-693p |
Affected by 24 other vulnerabilities. |
|
|
VCID-xwep-f5r7-ryhj
Aliases: CVE-2016-6620 |
Affected by 24 other vulnerabilities. |
|
|
VCID-ysy7-psez-cbhq
Aliases: CVE-2015-8980 |
The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. |
Affected by 24 other vulnerabilities. |
|
VCID-yvwv-ebhn-x3g5
Aliases: CVE-2016-6625 GHSA-r643-7xfg-ppc5 |
phpMyAdmin allows to detect if user is logged in An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 24 other vulnerabilities. |
|
VCID-ywx4-k59s-kyfw
Aliases: CVE-2018-12581 GHSA-vxj6-pm6r-23hq |
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-z37z-773u-2fd7
Aliases: CVE-2016-6632 GHSA-426q-975p-w5cr |
Affected by 24 other vulnerabilities. |
|
|
VCID-zjy7-eubd-1qbz
Aliases: CVE-2016-6623 GHSA-2mcj-3r3r-v5wm |
Affected by 24 other vulnerabilities. |
|
|
VCID-zv6a-mj99-p7az
Aliases: CVE-2020-10802 GHSA-f4cr-3xmc-2wpm |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. |
Affected by 6 other vulnerabilities. |
|
VCID-zxus-a2uc-aqe8
Aliases: CVE-2017-1000014 GHSA-9hrc-rwrq-v6mh |
Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1k2k-x1hh-sfc5 | security update |
CVE-2013-4995
|
| VCID-2j82-1bxx-7uh6 |
CVE-2014-5273
|
|
| VCID-3kqc-47x2-43cd |
CVE-2013-4998
|
|
| VCID-4age-g5bt-r7f8 | phpMyAdmin cross-site scripting Vulnerability in Table or Column Names Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. |
CVE-2014-4986
GHSA-jqmr-wqgp-8mh2 |
| VCID-4r9b-k2zk-1kb1 | phpMyAdmin Implementation XSS Vulnerability on Server Monitor Page Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the `libraries/DatabaseInterface.class.php` code for SQL debug output and the `js/server_status_monitor.js` code for the server monitor page. |
CVE-2014-8326
GHSA-pvr5-84gr-g985 |
| VCID-58t1-99j9-7ycc |
CVE-2013-5001
|
|
| VCID-6prg-vq7d-dfcc | phpMyAdmin Multiple cross-site scripting (XSS) vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. |
CVE-2013-4997
GHSA-5gh4-v2ch-pcx4 |
| VCID-838f-2f1n-pkh2 | phpMyAdmin cross-site scripting Vulnerability via ENUM value Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to `libraries/TableSearch.class.php` and `libraries/Util.class.php`. |
CVE-2014-7217
GHSA-wv8g-fx9j-q2jg |
| VCID-ahrp-z9m8-tbcs | security update |
CVE-2014-8958
|
| VCID-bjkg-91qs-skcx | phpMyAdmin Global variables scope injection vulnerability import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. |
CVE-2013-4729
GHSA-x962-w72p-mv7q |
| VCID-chgb-rgxe-ffd5 |
CVE-2016-4412
|
|
| VCID-e9vh-41h7-s3c7 |
CVE-2013-5000
|
|
| VCID-fcjt-pzd8-cugv |
CVE-2014-8960
|
|
| VCID-ffb3-yvpv-kkds | security update |
CVE-2013-4996
|
| VCID-gce6-e4d3-gkge | phpMyAdmin cross-site scripting vulnerability in crafted view name A cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to `js/functions.js`. |
CVE-2014-5274
GHSA-q586-xpwr-jc3j |
| VCID-ju3y-1w37-auax |
CVE-2014-8959
|
|
| VCID-k6nf-sde9-u7f4 | phpMyAdmin: Self-XSS due to unescaped HTML output in navigation items hiding feature |
CVE-2014-4349
|
| VCID-nk4s-8ryt-r7a1 |
CVE-2014-4955
|
|
| VCID-nv2g-h4vb-d7cg | security update |
CVE-2014-1879
|
| VCID-nvq3-kpr4-tygg | phpMyAdmin: Self-XSS due to unescaped HTML output in recent/favorite tables navigation |
CVE-2014-4348
|
| VCID-p95j-37xp-pqbg |
CVE-2014-9219
|
|
| VCID-q5fb-upnt-7fdh |
CVE-2012-4219
|
|
| VCID-rby8-8wrn-h7df | phpMyAdmin micro history Implementation XSS Vulnerability Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. |
CVE-2014-6300
GHSA-6wfj-2mw7-p5cg |
| VCID-scm4-rffy-gqc1 |
CVE-2014-9218
|
|
| VCID-smb4-qca5-ybaw | security update |
CVE-2013-5003
|
| VCID-swg9-atpm-ryg1 |
CVE-2013-4999
|
|
| VCID-t6vn-7ar4-vyde |
CVE-2014-8961
|
|
| VCID-trqy-sz24-vqfn |
CVE-2014-4987
|
|
| VCID-tsxh-g8p7-pqag |
CVE-2014-4954
|
|
| VCID-tzn2-z2yc-7ue7 | phpMyAdmin Cross-site scripting (XSS) vulnerability via pageNumber value Cross-site scripting (XSS) vulnerability in `libraries/schema/Export_Relation_Schema.class.php` in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. |
CVE-2013-5002
GHSA-p632-5w74-x8xx |
| VCID-uwyk-mz9s-47b3 |
CVE-2013-5029
|
|
| VCID-zhem-w1eh-pydp |
CVE-2013-3742
|