Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Phpmyadmin Subscribe
Filtered by product Phpmyadmin
Total 270 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2011-2505 1 Phpmyadmin 1 Phpmyadmin 2018-10-09 6.4 MEDIUM N/A
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
CVE-2018-12581 1 Phpmyadmin 1 Phpmyadmin 2018-08-10 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
CVE-2016-6619 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 6.5 MEDIUM 8.8 HIGH
An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-9865 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-6620 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6616 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 6.8 MEDIUM 7.5 HIGH
An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.
CVE-2016-6622 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6615 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 4.3 MEDIUM 6.1 MEDIUM
XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.
CVE-2016-6621 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 5.0 MEDIUM 8.6 HIGH
The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
CVE-2016-6609 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 6.5 MEDIUM 8.8 HIGH
An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6618 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6614 1 Phpmyadmin 1 Phpmyadmin 2018-07-07 4.3 MEDIUM 6.8 MEDIUM
An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2018-10188 1 Phpmyadmin 1 Phpmyadmin 2018-05-21 6.8 MEDIUM 8.8 HIGH
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php.
CVE-2018-7260 1 Phpmyadmin 1 Phpmyadmin 2018-03-06 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
CVE-2012-1902 1 Phpmyadmin 1 Phpmyadmin 2018-01-17 4.3 MEDIUM N/A
show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file.
CVE-2012-1190 1 Phpmyadmin 1 Phpmyadmin 2018-01-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the replication-setup functionality in js/replication.js in phpMyAdmin 3.4.x before 3.4.10.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted database name.
CVE-2004-0129 1 Phpmyadmin 1 Phpmyadmin 2017-10-09 5.0 MEDIUM N/A
Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.
CVE-2008-5621 1 Phpmyadmin 1 Phpmyadmin 2017-09-28 6.0 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other unspecified pages are also reachable, but they have the same root cause. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code.
CVE-2014-9218 1 Phpmyadmin 1 Phpmyadmin 2017-09-07 5.0 MEDIUM N/A
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.
CVE-2014-9219 1 Phpmyadmin 1 Phpmyadmin 2017-09-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter.