Phpmyadmin : Security Vulnerabilities, CVEs, CVSS score >= 4
CVE-2018-12613
Public exploit
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Max CVSS
8.8
EPSS Score
97.41%
Published
2018-06-21
Updated
2021-11-02
CVE-2017-1000499
Public exploit
phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
Max CVSS
8.8
EPSS Score
74.35%
Published
2018-01-03
Updated
2019-04-30
CVE-2016-5734
Public exploit
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.
Max CVSS
9.8
EPSS Score
92.08%
Published
2016-07-03
Updated
2017-07-01
CVE-2013-3238
Public exploit
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.
Max CVSS
6.0
EPSS Score
97.28%
Published
2013-04-26
Updated
2013-11-19
CVE-2012-5159
Public exploit
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.
Max CVSS
7.5
EPSS Score
92.72%
Published
2012-09-25
Updated
2013-01-26
CVE-2009-1151
Known exploited
Public exploit
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Max CVSS
7.5
EPSS Score
79.26%
Published
2009-03-26
Updated
2018-10-10
CISA KEV Added
2022-03-25
6 vulnerabilities found