VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-bc59-u3jt-u3fj

Essentials
Severities (36)
References (21)
Severity details (30)
Exploits (3)
EPSS
History (1)

Vulnerability ID	VCID-bc59-u3jt-u3fj
Aliases	CVE-2009-1151
Summary	Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Status	Published
Exploitability	2.0
Weighted Severity	8.8
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
cvssv3.1	9.8	http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
ssvc	Act	http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
cvssv3.1	9.8	http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
ssvc	Act	http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
cvssv3.1	9.8	http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
ssvc	Act	http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
epss	0.93032	https://api.first.org/data/v1/epss?cve=CVE-2009-1151
epss	0.93032	https://api.first.org/data/v1/epss?cve=CVE-2009-1151
epss	0.93032	https://api.first.org/data/v1/epss?cve=CVE-2009-1151
epss	0.93032	https://api.first.org/data/v1/epss?cve=CVE-2009-1151
epss	0.93032	https://api.first.org/data/v1/epss?cve=CVE-2009-1151
epss	0.93032	https://api.first.org/data/v1/epss?cve=CVE-2009-1151
cvssv3.1	9.8	http://secunia.com/advisories/34430
ssvc	Act	http://secunia.com/advisories/34430
cvssv3.1	9.8	http://secunia.com/advisories/34642
ssvc	Act	http://secunia.com/advisories/34642
cvssv3.1	9.8	http://secunia.com/advisories/35585
ssvc	Act	http://secunia.com/advisories/35585
cvssv3.1	9.8	http://secunia.com/advisories/35635
ssvc	Act	http://secunia.com/advisories/35635
cvssv3.1	9.8	http://security.gentoo.org/glsa/glsa-200906-03.xml
ssvc	Act	http://security.gentoo.org/glsa/glsa-200906-03.xml
cvssv3.1	9.8	https://www.exploit-db.com/exploits/8921
ssvc	Act	https://www.exploit-db.com/exploits/8921
cvssv3.1	9.8	http://www.debian.org/security/2009/dsa-1824
ssvc	Act	http://www.debian.org/security/2009/dsa-1824
cvssv3.1	9.8	http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
ssvc	Act	http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
cvssv3.1	9.8	http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
ssvc	Act	http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
cvssv3.1	9.8	http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
ssvc	Act	http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
cvssv3.1	9.8	http://www.securityfocus.com/archive/1/504191/100/0/threaded
ssvc	Act	http://www.securityfocus.com/archive/1/504191/100/0/threaded
cvssv3.1	9.8	http://www.securityfocus.com/bid/34236
ssvc	Act	http://www.securityfocus.com/bid/34236

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1151.json
		https://api.first.org/data/v1/epss?cve=CVE-2009-1151
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1151
34236		http://www.securityfocus.com/bid/34236
34430		http://secunia.com/advisories/34430
34642		http://secunia.com/advisories/34642
35585		http://secunia.com/advisories/35585
35635		http://secunia.com/advisories/35635
492066		https://bugzilla.redhat.com/show_bug.cgi?id=492066
8921		https://www.exploit-db.com/exploits/8921
about-cve-2009-1151		http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
advisories?name=MDVSA-2009:115		http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
CVE-2009-1151;OSVDB-53076	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/16913.rb
CVE-2009-1151;OSVDB-53076	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/8992.php
cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept		http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
dsa-1824		http://www.debian.org/security/2009/dsa-1824
glsa-200906-03.xml		http://security.gentoo.org/glsa/glsa-200906-03.xml
OSVDB-53076;CVE-2009-1151	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/8921.sh
PMASA-2009-3.php		http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
setup.php?r1=11514&r2=12301&pathrev=12301		http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
threaded		http://www.securityfocus.com/archive/1/504191/100/0/threaded

Data source	Metasploit
Description	This module exploits a vulnerability in phpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation.
Note	Reliability: - unknown-reliability Stability: - unknown-stability SideEffects: - unknown-side-effects
Ransomware campaign use	Unknown
Source publication date	March 24, 2009
Platform	PHP
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/webapp/phpmyadmin_config.rb

Data source	KEV
Date added	March 25, 2022
Description	Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Required action	Apply updates per vendor instructions.
Due date	April 15, 2022
Note	https://nvd.nist.gov/vuln/detail/CVE-2009-1151
Ransomware campaign use	Unknown

Data source	Exploit-DB
Date added	July 3, 2010
Description	phpMyAdmin - Config File Code Injection (Metasploit)
Ransomware campaign use	Known
Source publication date	July 3, 2010
Exploit type	webapps
Platform	php
Source update date	March 6, 2011

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/34430

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/34430

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/34642

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/34642

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/35585

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/35585

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/35635

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/35635

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://security.gentoo.org/glsa/glsa-200906-03.xml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://security.gentoo.org/glsa/glsa-200906-03.xml

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/8921

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at https://www.exploit-db.com/exploits/8921

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.debian.org/security/2009/dsa-1824

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.debian.org/security/2009/dsa-1824

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.mandriva.com/security/advisories?name=MDVSA-2009:115

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.mandriva.com/security/advisories?name=MDVSA-2009:115

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/archive/1/504191/100/0/threaded

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.securityfocus.com/archive/1/504191/100/0/threaded

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/34236

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.securityfocus.com/bid/34236

Exploit Prediction Scoring System (EPSS)

Percentile	0.99772
EPSS Score	0.93032
Published At	Sept. 20, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:31:20.043714+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2009/1xxx/CVE-2009-1151.json	37.0.0