# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2017-1000018 |
20 |
|
|
2017-07-17 |
2018-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
2 |
CVE-2017-1000016 |
20 |
|
|
2017-07-17 |
2017-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
3 |
CVE-2017-1000014 |
20 |
|
|
2017-07-17 |
2018-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality |
4 |
CVE-2017-1000013 |
601 |
|
|
2017-07-17 |
2018-07-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
5 |
CVE-2016-9863 |
20 |
|
DoS |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected. |
6 |
CVE-2016-9862 |
94 |
|
|
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected. |
7 |
CVE-2016-9861 |
254 |
|
Bypass |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
8 |
CVE-2016-9859 |
20 |
|
DoS |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
9 |
CVE-2016-9858 |
20 |
|
DoS |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
10 |
CVE-2016-9855 |
200 |
|
+Info |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the PMA_shutdownDuringExport issue. |
11 |
CVE-2016-9854 |
200 |
|
Exec Code +Info |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the json_decode issue. |
12 |
CVE-2016-9853 |
200 |
|
+Info |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the fopen wrapper issue. |
13 |
CVE-2016-9852 |
200 |
|
+Info |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the curl wrapper issue. |
14 |
CVE-2016-9851 |
254 |
|
Bypass |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. |
15 |
CVE-2016-9850 |
254 |
|
|
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
16 |
CVE-2016-9848 |
200 |
|
+Info |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
17 |
CVE-2016-9847 |
310 |
|
|
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
18 |
CVE-2016-6627 |
200 |
|
+Info |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
19 |
CVE-2016-6626 |
254 |
|
|
2016-12-10 |
2017-06-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
20 |
CVE-2016-6621 |
918 |
|
|
2017-01-31 |
2018-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
21 |
CVE-2016-6611 |
89 |
|
Sql |
2016-12-10 |
2017-06-30 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
22 |
CVE-2016-6606 |
310 |
|
|
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
23 |
CVE-2016-5739 |
200 |
|
+Info CSRF |
2016-07-02 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
24 |
CVE-2016-5730 |
200 |
|
+Info |
2016-07-02 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. |
25 |
CVE-2016-5706 |
399 |
|
DoS |
2016-07-02 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
26 |
CVE-2016-5098 |
22 |
|
Dir. Trav. |
2016-07-04 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error. |
27 |
CVE-2016-5097 |
200 |
|
+Info |
2016-07-04 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. |
28 |
CVE-2016-2562 |
20 |
|
+Info |
2016-03-01 |
2016-12-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. |
29 |
CVE-2016-2044 |
200 |
|
+Info |
2016-02-19 |
2016-08-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
30 |
CVE-2016-2042 |
200 |
|
+Info |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. |
31 |
CVE-2016-2041 |
254 |
|
Bypass CSRF |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
32 |
CVE-2016-2039 |
200 |
|
Bypass +Info CSRF |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. |
33 |
CVE-2016-2038 |
200 |
|
+Info |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
34 |
CVE-2016-1927 |
254 |
|
|
2016-02-19 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
35 |
CVE-2015-8669 |
200 |
|
+Info |
2015-12-26 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
36 |
CVE-2015-7873 |
254 |
|
|
2015-10-28 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. |
37 |
CVE-2015-6830 |
200 |
|
Bypass +Info |
2015-09-13 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. |
38 |
CVE-2015-2206 |
200 |
|
+Info CSRF |
2015-03-09 |
2016-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
39 |
CVE-2014-9218 |
399 |
|
DoS |
2014-12-08 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password. |
40 |
CVE-2013-5000 |
200 |
|
+Info |
2013-07-31 |
2013-07-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to config.default.php and other files. |
41 |
CVE-2013-4999 |
200 |
|
+Info |
2013-07-31 |
2013-07-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. |
42 |
CVE-2013-4998 |
200 |
|
+Info |
2013-07-31 |
2013-07-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to pmd_common.php and other files. |
43 |
CVE-2013-4729 |
264 |
|
|
2013-07-04 |
2013-07-05 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. |
44 |
CVE-2012-4219 |
200 |
|
+Info |
2012-08-21 |
2012-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. |
45 |
CVE-2011-3646 |
20 |
|
+Info |
2011-11-17 |
2011-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message. |
46 |
CVE-2011-0986 |
20 |
|
|
2011-02-14 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. |
47 |
CVE-2010-4481 |
287 |
|
Bypass +Info |
2010-12-17 |
2011-01-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. |
48 |
CVE-2009-4605 |
|
|
CSRF |
2010-01-19 |
2010-05-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |
49 |
CVE-2009-1148 |
22 |
|
Dir. Trav. |
2009-03-26 |
2009-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to read arbitrary files via directory traversal sequences in the file_path parameter ($filename variable). |
50 |
CVE-2008-1149 |
89 |
|
Sql CSRF |
2008-03-04 |
2017-08-07 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies. |