Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Phpmyadmin Subscribe
Total 270 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18264 2 Debian, Phpmyadmin 2 Debian Linux, Phpmyadmin 2019-10-02 7.5 HIGH 9.8 CRITICAL
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.
CVE-2019-11768 1 Phpmyadmin 1 Phpmyadmin 2019-06-13 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
CVE-2019-12616 1 Phpmyadmin 1 Phpmyadmin 2019-06-13 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
CVE-2017-1000499 1 Phpmyadmin 1 Phpmyadmin 2019-04-30 6.8 MEDIUM 8.8 HIGH
phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
CVE-2018-19968 2 Debian, Phpmyadmin 2 Debian Linux, Phpmyadmin 2019-04-23 4.0 MEDIUM 6.5 MEDIUM
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.
CVE-2018-19970 2 Debian, Phpmyadmin 2 Debian Linux, Phpmyadmin 2019-04-22 4.3 MEDIUM 6.1 MEDIUM
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.
CVE-2018-19969 1 Phpmyadmin 1 Phpmyadmin 2019-04-22 6.8 MEDIUM 8.8 HIGH
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.
CVE-2017-1000017 1 Phpmyadmin 1 Phpmyadmin 2019-03-25 6.5 MEDIUM 8.8 HIGH
phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server
CVE-2017-1000015 1 Phpmyadmin 1 Phpmyadmin 2019-03-20 4.3 MEDIUM 6.1 MEDIUM
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters
CVE-2017-1000018 1 Phpmyadmin 1 Phpmyadmin 2019-03-20 5.0 MEDIUM 7.5 HIGH
phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name
CVE-2017-1000014 1 Phpmyadmin 1 Phpmyadmin 2019-03-19 5.0 MEDIUM 7.5 HIGH
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality
CVE-2017-1000013 1 Phpmyadmin 1 Phpmyadmin 2019-03-19 5.8 MEDIUM 6.1 MEDIUM
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness
CVE-2013-1937 1 Phpmyadmin 1 Phpmyadmin 2019-02-10 4.3 MEDIUM 6.1 MEDIUM
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable."
CVE-2019-6798 1 Phpmyadmin 1 Phpmyadmin 2019-01-28 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
CVE-2016-5097 2 Opensuse, Phpmyadmin 2 Opensuse, Phpmyadmin 2018-10-30 5.0 MEDIUM 5.3 MEDIUM
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
CVE-2016-2038 3 Fedoraproject, Opensuse, Phpmyadmin 4 Fedora, Leap, Opensuse and 1 more 2018-10-30 5.0 MEDIUM 5.3 MEDIUM
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
CVE-2016-5701 2 Opensuse, Phpmyadmin 3 Leap, Opensuse, Phpmyadmin 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
CVE-2016-5703 2 Opensuse, Phpmyadmin 3 Leap, Opensuse, Phpmyadmin 2018-10-30 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query.
CVE-2016-5730 2 Opensuse, Phpmyadmin 3 Leap, Opensuse, Phpmyadmin 2018-10-30 5.0 MEDIUM 5.3 MEDIUM
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message.
CVE-2014-6300 2 Opensuse, Phpmyadmin 2 Opensuse, Phpmyadmin 2018-10-30 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js.