Search for packages
| purl | pkg:deb/debian/phpmyadmin@4:4.6.6-4%2Bdeb9u1 |
| Next non-vulnerable version | 4:5.2.1+dfsg-1+deb12u1 |
| Latest non-vulnerable version | 4:5.2.1+dfsg-1+deb12u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17ng-yksd-eybe
Aliases: CVE-2019-6798 GHSA-f732-fxh6-g4qj |
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-1dgw-1ueg-sudt
Aliases: CVE-2019-12922 GHSA-4c9q-64gq-xhx4 |
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. |
Affected by 6 other vulnerabilities. |
|
VCID-1wkj-35wu-73gj
Aliases: CVE-2021-21252 GHSA-jxwx-85vp-gvwm |
Regular Expression Denial of Service in jquery-validation The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation. The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service) This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen). |
Affected by 6 other vulnerabilities. |
|
VCID-23az-qkmn-gbe3
Aliases: CVE-2025-24530 GHSA-222v-cx2c-q2f5 |
phpMyAdmin XSS when checking tables An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. |
Affected by 0 other vulnerabilities. |
|
VCID-8tvp-hwm3-5ffn
Aliases: CVE-2019-11768 GHSA-x37v-98f9-mj32 |
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-b2mf-bz89-gfau
Aliases: CVE-2018-19968 GHSA-xc97-r49q-cxgc |
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. |
Affected by 6 other vulnerabilities. |
|
VCID-czxz-y6wm-ekfj
Aliases: CVE-2020-26935 GHSA-7ff4-cv53-4cjq |
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
Affected by 6 other vulnerabilities. |
|
VCID-gee5-junk-b3b2
Aliases: CVE-2025-24529 |
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. |
Affected by 0 other vulnerabilities. |
|
VCID-hdce-qvrp-fqcg
Aliases: CVE-2020-22452 GHSA-prcg-mc23-hgjh |
phpmyadmin contains SQL Injection vulnerability SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.0.2 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. |
Affected by 6 other vulnerabilities. |
|
VCID-jbs5-da9z-ske9
Aliases: CVE-2019-6799 GHSA-c8wj-q36q-3wg4 |
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. |
Affected by 6 other vulnerabilities. |
|
VCID-jzcm-zdxr-pyhc
Aliases: CVE-2018-7260 GHSA-gqmj-f46x-wqhw |
Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
Affected by 6 other vulnerabilities. |
|
VCID-m8yx-dpuh-jqau
Aliases: CVE-2018-19969 GHSA-xwf2-53mc-r8hx |
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. |
Affected by 6 other vulnerabilities. |
|
VCID-mtvz-3r6z-33bk
Aliases: CVE-2019-19617 GHSA-pgph-mc4p-f8c3 |
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php. |
Affected by 6 other vulnerabilities. |
|
VCID-nhqn-h1hc-73da
Aliases: CVE-2020-26934 GHSA-6349-53vr-7hcr |
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. |
Affected by 6 other vulnerabilities. |
|
VCID-nw94-xevj-tba8
Aliases: CVE-2020-10804 GHSA-h65r-8fp8-w7cx |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). |
Affected by 6 other vulnerabilities. |
|
VCID-qkag-45nb-aybv
Aliases: CVE-2020-5504 GHSA-fgj8-93xx-f6g6 |
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. |
Affected by 6 other vulnerabilities. |
|
VCID-rxxw-3759-efcb
Aliases: CVE-2019-12616 GHSA-mfr9-pcm3-6mwc |
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. |
Affected by 6 other vulnerabilities. |
|
VCID-u2js-dkmt-h3fc
Aliases: CVE-2018-10188 GHSA-v6fp-h79x-9rqc |
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php. |
Affected by 6 other vulnerabilities. |
|
VCID-u6cb-a35s-8yaf
Aliases: CVE-2019-18622 GHSA-jgjc-332c-8cmc |
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-vf18-jwgj-guhn
Aliases: CVE-2018-19970 GHSA-8987-93fh-rcwq |
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name. |
Affected by 6 other vulnerabilities. |
|
VCID-weje-ut8w-3fh9
Aliases: CVE-2023-25727 GHSA-6hr3-44gx-g6wh |
Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger Cross-site Scripting (XSS) by uploading a crafted .sql file through the drag-and-drop interface. By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-x7gr-hgqa-2uek
Aliases: CVE-2020-10803 GHSA-fcww-8wvc-38q9 |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. |
Affected by 6 other vulnerabilities. |
|
VCID-ywx4-k59s-kyfw
Aliases: CVE-2018-12581 GHSA-vxj6-pm6r-23hq |
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature. |
Affected by 6 other vulnerabilities. |
|
VCID-zv6a-mj99-p7az
Aliases: CVE-2020-10802 GHSA-f4cr-3xmc-2wpm |
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1jfu-df2q-duhz |
CVE-2016-9858
|
|
| VCID-1kme-6s76-k3es | phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
CVE-2016-5705
GHSA-6q2j-8h8q-46mr |
| VCID-1psm-e1bq-rqg1 |
CVE-2016-9850
|
|
| VCID-1v5y-zvte-tugk |
CVE-2016-9852
|
|
| VCID-2739-kr2f-fbd8 | phpMyAdmin Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
CVE-2016-5731
GHSA-mwm8-36c5-j5cf |
| VCID-2w3y-zh4u-bkgf |
CVE-2016-9864
|
|
| VCID-2x7w-vq7h-jfcu |
CVE-2016-9853
GHSA-rmmf-5xhh-gg27 |
|
| VCID-2xx7-djgx-j7ap |
CVE-2016-2043
|
|
| VCID-3493-p7bx-pfbz |
CVE-2016-9848
|
|
| VCID-35nm-8pfp-mkaq |
CVE-2016-9866
GHSA-jvxx-8xxf-5495 |
|
| VCID-3jkz-zdy6-n7dz | phpMyAdmin XSS Vulnerability Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. |
CVE-2016-5704
GHSA-gcvp-cwgw-wx8j |
| VCID-43mn-rf4g-ayg6 | phpMyAdmin Cross-site Scripting (XSS) XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. |
CVE-2016-6608
GHSA-jfmj-27fp-qp67 |
| VCID-49vs-6j8s-pkey | phpMyAdmin ReCaptcha bypass libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
CVE-2015-6830
GHSA-v6fh-vg22-r6cm |
| VCID-4k9b-4mxz-87e5 | phpMyAdmin Authentication Bypass An issue was discovered in phpMyAdmin involving the `$cfg['ArbitraryServerRegexp']` configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
CVE-2016-6629
GHSA-567r-vqj7-5cw7 |
| VCID-56x2-cfhw-6kcx |
CVE-2016-6607
|
|
| VCID-5bk1-q3nj-6qef | phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
CVE-2016-5733
GHSA-cr65-p662-fx5c |
| VCID-5kds-ef23-g7dm | security update |
CVE-2016-2560
|
| VCID-5qej-xfah-1kaa |
CVE-2016-6628
GHSA-phhm-63xx-v9rr |
|
| VCID-5x6h-hhj1-5uab |
CVE-2016-9863
GHSA-qgrq-64g6-mmh6 |
|
| VCID-6j1s-geef-pfb6 | phpMyAdmin DoS Vulnerability phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
CVE-2017-1000018
GHSA-47qr-f86f-3wm4 |
| VCID-7r2d-sfax-4ycd |
CVE-2016-6610
|
|
| VCID-7r2d-wwa7-v3dp |
CVE-2016-9849
|
|
| VCID-7udu-bp8s-t7es | phpMyAdmin Open Redirect phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
CVE-2017-1000013
GHSA-5h5m-fj48-qpjw |
| VCID-84pb-neh5-73by | phpMyAdmin Unsafe comparison of XSRF/CSRF token libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
CVE-2016-2041
GHSA-8m97-xc46-rw9w |
| VCID-96h9-nz2g-g3be | phpMyAdmin Denial of service (DOS) attack in transformation feature An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
CVE-2016-6618
GHSA-rv6m-chvv-wmxg |
| VCID-9a76-y48q-zbeb |
CVE-2016-6619
|
|
| VCID-9h1t-5fsg-bbcp | phpMyAdmin Cross-site scripting (XSS) vulnerability in SQL parser Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. |
CVE-2016-2559
GHSA-7rf8-9r8f-qf59 |
| VCID-ar2s-q1ey-9ua6 |
CVE-2016-9856
GHSA-j8mx-x32r-5rf4 |
|
| VCID-b6rz-wky4-vkfm |
CVE-2016-2038
|
|
| VCID-c4mp-bzke-4bhw | phpMyAdmin DoS Vulnerability An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
CVE-2016-6622
GHSA-qf3f-7x69-qfv3 |
| VCID-cwsu-1uh4-77dz |
CVE-2016-6616
|
|
| VCID-czfr-b4gq-j3cj | security update |
CVE-2016-2561
|
| VCID-dpv2-3xj4-s7hm | phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
CVE-2016-5706
GHSA-9rmm-8fp4-26hv |
| VCID-drg7-e5cv-mubp | security update |
CVE-2016-2039
|
| VCID-drq8-z1qe-7ufh | phpMyAdmin SSRF in replication phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server |
CVE-2017-1000017
GHSA-99xj-xqc9-98hr |
| VCID-e3xu-5ny1-rkab |
CVE-2016-6633
GHSA-p849-vf5f-f3x7 |
|
| VCID-e7wm-q3zx-xfea |
CVE-2016-6627
|
|
| VCID-e8kt-2au9-x3ba |
CVE-2016-5703
|
|
| VCID-e9sk-1r4g-5ycd | security update |
CVE-2016-5099
|
| VCID-f4bk-253j-fkgv | phpMyAdmin allows remote attackers to spoof content via the url parameter The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
CVE-2015-7873
GHSA-5pmg-qh2c-7j24 |
| VCID-f7s2-6bk2-j7c9 |
CVE-2016-6617
|
|
| VCID-fhk8-rvr9-zbfy |
CVE-2016-9862
|
|
| VCID-fsw3-zq48-s3bh | phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
CVE-2016-5701
GHSA-rh74-5835-jpxp |
| VCID-g5fx-sqr6-3bba |
CVE-2016-9865
|
|
| VCID-g67g-ycx6-ebat | An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument. |
CVE-2017-18264
GHSA-5868-g58j-vrj5 |
| VCID-hy45-dt9r-y3a2 | phpMyAdmin Local file exposure An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
CVE-2016-6612
GHSA-fcgm-62p3-f7cm |
| VCID-jmh7-efse-p3hk |
CVE-2016-5097
|
|
| VCID-jwbb-tmzj-4qhb |
CVE-2015-8669
|
|
| VCID-jxqx-dh1t-eua2 | phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
CVE-2016-6624
GHSA-mhxj-6vf8-mwv3 |
| VCID-kfee-bu9e-ryet |
CVE-2016-9855
|
|
| VCID-kw8w-rzsv-x7aq |
CVE-2016-9851
GHSA-r2vw-p77f-vc27 |
|
| VCID-kzr5-ef5h-dfbr |
CVE-2016-6613
GHSA-6j2v-g9rg-qcm5 |
|
| VCID-m59a-5uea-rfa9 | phpMyAdmin Code Injection vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. |
CVE-2016-5734
GHSA-rv57-479x-x4qv |
| VCID-n6tc-38md-yug7 |
CVE-2016-6615
|
|
| VCID-nmus-bk41-qfbq | phpMyAdmin Cryptographic Vulnerability The `suggestPassword` function in `js/functions.js` in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the `Math.random` JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
CVE-2016-1927
GHSA-4gmg-gwjh-3mmr |
| VCID-nv63-x4p5-tugf | security update |
CVE-2015-2206
|
| VCID-p5pc-qgwf-23ag | security update |
CVE-2015-3903
|
| VCID-p8xn-tscc-4qhu |
CVE-2017-1000015
GHSA-3fgq-cmr4-97rr |
|
| VCID-qhn7-b1w4-vkfn | phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
CVE-2016-5739
GHSA-2p7v-jm8m-g3qq |
| VCID-qmfr-5d3y-27au |
CVE-2016-6609
GHSA-wpww-hx7x-xfjh |
|
| VCID-qqt9-hgf5-nkfp |
CVE-2016-2045
|
|
| VCID-qu34-hevh-v3a9 | phpMyAdmin server-side request forgery (SSRF) The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
CVE-2016-6621
GHSA-44vv-mm86-7cg6 |
| VCID-qvb8-x5h7-1kax |
CVE-2016-9857
GHSA-hmmx-wxh4-9w8w |
|
| VCID-qxgd-ufvd-nue7 | phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. |
CVE-2016-2040
GHSA-pw34-qf6c-84fc |
| VCID-r3az-36ru-jbhv | phpMyAdmin Improper Input Validation The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. |
CVE-2016-2562
GHSA-w8qg-j9fp-hrjf |
| VCID-rhpe-t27g-xycn |
CVE-2016-2044
|
|
| VCID-rqvv-7dvy-dqfd |
CVE-2016-9860
GHSA-3hw5-fffc-qrg4 |
|
| VCID-rs9g-rj3u-1bfy |
CVE-2016-9861
GHSA-r326-mp8g-6xfc |
|
| VCID-rspx-kym8-xydx | phpMyAdmin full path disclosure vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. |
CVE-2016-5730
GHSA-wm9c-vcv2-vpqc |
| VCID-sbf9-au5e-t7h6 |
CVE-2016-6606
|
|
| VCID-tuac-cwdp-fycg |
CVE-2016-6626
|
|
| VCID-tx6k-19sr-2kh3 | phpMyAdmin Cookie attribute injection attack A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
CVE-2017-1000016
GHSA-j2cq-h6v2-f875 |
| VCID-txdw-6pp4-4bes |
CVE-2016-6631
|
|
| VCID-u6jq-4avw-zub5 | security update |
CVE-2015-3902
|
| VCID-v3xe-8zk4-q3gm | phpMyAdmin cookie-attribute injection phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. |
CVE-2016-5702
GHSA-xqw9-ffx7-g998 |
| VCID-vhu1-psag-gkgc |
CVE-2016-6630
|
|
| VCID-vrnj-k5mr-23gp |
CVE-2016-6611
|
|
| VCID-wgv2-kxrx-1qcz |
CVE-2016-9859
|
|
| VCID-wu7r-kc8u-mubh |
CVE-2016-9854
|
|
| VCID-x1d8-mzdj-wbhw |
CVE-2016-6614
|
|
| VCID-x4xq-zycy-sfd5 | phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in `templates/table/structure/display_partitions.phtml` in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. |
CVE-2016-5732
GHSA-3q28-xfw3-2q35 |
| VCID-xn5r-tzjc-bqcg | phpMyAdmin: Multiple full path disclosure vulnerabilities (PMASA-2016-6) |
CVE-2016-2042
|
| VCID-xrnq-v6ph-97hn |
CVE-2016-9847
GHSA-9xhq-pm7v-693p |
|
| VCID-xwep-f5r7-ryhj |
CVE-2016-6620
|
|
| VCID-ysy7-psez-cbhq | The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. |
CVE-2015-8980
|
| VCID-yvwv-ebhn-x3g5 | phpMyAdmin allows to detect if user is logged in An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
CVE-2016-6625
GHSA-r643-7xfg-ppc5 |
| VCID-z37z-773u-2fd7 |
CVE-2016-6632
GHSA-426q-975p-w5cr |
|
| VCID-zjy7-eubd-1qbz |
CVE-2016-6623
GHSA-2mcj-3r3r-v5wm |
|
| VCID-zxus-a2uc-aqe8 |
CVE-2017-1000014
GHSA-9hrc-rwrq-v6mh |