Search for vulnerabilities
Vulnerability details: VCID-rxxw-3759-efcb
Vulnerability ID VCID-rxxw-3759-efcb
Aliases CVE-2019-12616
GHSA-mfr9-pcm3-6mwc
Summary An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.46361 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.46361 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.46361 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.49261 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
epss 0.54413 https://api.first.org/data/v1/epss?cve=CVE-2019-12616
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-mfr9-pcm3-6mwc
cvssv3.1 6.5 https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec
generic_textual MODERATE https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2019-12616
cvssv3 6.5 https://nvd.nist.gov/vuln/detail/CVE-2019-12616
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2019-12616
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-12616
cvssv3.1 6.5 https://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
generic_textual MODERATE https://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
cvssv3.1 6.5 https://www.phpmyadmin.net/security/PMASA-2019-4
generic_textual MODERATE https://www.phpmyadmin.net/security/PMASA-2019-4
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00017.html
http://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
https://api.first.org/data/v1/epss?cve=CVE-2019-12616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12616
https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec
https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/II4HC4QO6WUL2IRSQKCB66UBJOLLI5OV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKJMYVXEDXGEGRO42T6H6VOEZJ65QPQ7/
https://nvd.nist.gov/vuln/detail/CVE-2019-12616
https://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
https://www.phpmyadmin.net/security/
https://www.phpmyadmin.net/security/PMASA-2019-4
https://www.phpmyadmin.net/security/PMASA-2019-4/
http://www.securityfocus.com/bid/108619
930017 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930017
cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*
CVE-2019-12616 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46982.txt
GHSA-mfr9-pcm3-6mwc https://github.com/advisories/GHSA-mfr9-pcm3-6mwc
USN-4639-1 https://usn.ubuntu.com/4639-1/
USN-USN-4843-1 https://usn.ubuntu.com/USN-4843-1/
Data source Exploit-DB
Date added June 11, 2019
Description phpMyAdmin 4.8 - Cross-Site Request Forgery
Ransomware campaign use Unknown
Source publication date June 11, 2019
Exploit type webapps
Platform php
Source update date June 11, 2019
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-12616
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-12616
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-12616
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://www.phpmyadmin.net/security/PMASA-2019-4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.97577
EPSS Score 0.46361
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:30:27.578715+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.12/community.json 37.0.0