Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18264 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument. | |||||
| CVE-2019-11768 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. | |||||
| CVE-2019-12616 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. | |||||
| CVE-2017-1000499 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-04-30 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. | |||||
| CVE-2018-19968 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2019-04-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. | |||||
| CVE-2018-19970 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2019-04-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name. | |||||
| CVE-2018-19969 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-04-22 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. | |||||
| CVE-2017-1000017 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-03-25 | 6.5 MEDIUM | 8.8 HIGH |
| phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server | |||||
| CVE-2017-1000015 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters | |||||
| CVE-2017-1000018 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name | |||||
| CVE-2017-1000014 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-03-19 | 5.0 MEDIUM | 7.5 HIGH |
| phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality | |||||
| CVE-2017-1000013 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-03-19 | 5.8 MEDIUM | 6.1 MEDIUM |
| phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness | |||||
| CVE-2013-1937 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable." | |||||
| CVE-2019-6798 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-01-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. | |||||
| CVE-2016-5097 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2018-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. | |||||
| CVE-2016-2038 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2018-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | |||||
| CVE-2016-5701 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. | |||||
| CVE-2016-5703 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2018-10-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. | |||||
| CVE-2016-5730 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2018-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. | |||||
| CVE-2014-6300 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2018-10-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. | |||||