Vulnerability Details : CVE-2008-3197
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the db parameter in the "Creating a Database" functionality (db_create.php), and (2) the convcharset and collation_connection parameters related to an unspecified program that modifies the connection character set.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2008-3197
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_pre1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_dev:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_pre2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.7_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_pre1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_pl2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_pre2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_dev:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1_dev:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.01:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5rc1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-3197
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-3197
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2008-3197
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-3197
-
http://www.openwall.com/lists/oss-security/2008/07/15/6
oss-security - CVE request: phpmyadmin < 2.11.7.1
-
http://www.debian.org/security/2008/dsa-1641
[SECURITY] [DSA 1641-1] New phpmyadmin packages fix several issues
-
http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
phpMyAdmin - Downloads
-
http://yehg.net/lab/pr0js/advisories/XSRF_CreateDB_inPhpMyAdmin2.11.7.pdf
Exploit
-
http://www.vupen.com/english/advisories/2008/2116/references
Site en construction
-
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-5
phpMyAdmin - Security - PMASA-2008-5
-
http://yehg.net/lab/pr0js/advisories/XSRF_ConvertCharset_inPhpMyAdmin2.11.7.pdf
-
http://sourceforge.net/project/shownotes.php?release_id=613660
Page not found - SourceForge.net
-
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00652.html
[SECURITY] Fedora 8 Update: phpMyAdmin-2.11.7.1-1.fc8
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:202
Mandriva
-
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00590.html
[SECURITY] Fedora 9 Update: phpMyAdmin-2.11.7.1-1.fc9
-
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:003 - openSUSE Security Announce - openSUSE Mailing Lists
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/43846
PhpMyAdmin db, convcharset and collation_connection parameters cross-site request forgery CVE-2008-3197 Vulnerability Report
Jump to