PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.
Source: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Max CVSS
7.5
EPSS Score
0.14%
Published
2022-03-10
Updated
2023-11-26
phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name
Source: MITRE
Max CVSS
7.5
EPSS Score
0.10%
Published
2017-07-17
Updated
2019-03-20
A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.09%
Published
2017-07-17
Updated
2017-07-26
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality
Source: MITRE
Max CVSS
7.5
EPSS Score
0.10%
Published
2017-07-17
Updated
2019-03-19
An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.33%
Published
2016-12-11
Updated
2017-07-01
An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.29%
Published
2016-12-11
Updated
2017-07-01
An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.15%
Published
2016-12-11
Updated
2017-07-01
An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.24%
Published
2016-12-11
Updated
2017-07-01
An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.11%
Published
2016-12-11
Updated
2018-07-08
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.48%
Published
2016-07-03
Updated
2018-10-30
js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter.
Source: MITRE
Max CVSS
7.5
EPSS Score
2.83%
Published
2016-07-03
Updated
2018-10-30
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.36%
Published
2016-02-20
Updated
2018-10-30
The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.62%
Published
2016-02-20
Updated
2016-11-28
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.
Source: MITRE
Max CVSS
7.5
EPSS Score
1.17%
Published
2012-12-20
Updated
2012-12-28

CVE-2012-5159

Public exploit
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.
Source: MITRE
Max CVSS
7.5
EPSS Score
92.65%
Published
2012-09-25
Updated
2013-01-26
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
Source: Red Hat, Inc.
Max CVSS
7.5
EPSS Score
19.87%
Published
2011-07-14
Updated
2018-10-09
The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request.
Source: MITRE
Max CVSS
7.5
EPSS Score
10.06%
Published
2010-08-24
Updated
2011-01-28
SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.53%
Published
2009-10-16
Updated
2017-08-17
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files.
Source: MITRE
Max CVSS
7.5
EPSS Score
2.92%
Published
2009-04-16
Updated
2009-04-28

CVE-2009-1151

Known exploited
Public exploit
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Source: MITRE
Max CVSS
7.5
EPSS Score
79.94%
Published
2009-03-26
Updated
2018-10-10
CISA KEV Added
2022-03-25
CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters.
Source: MITRE
Max CVSS
7.5
EPSS Score
1.11%
Published
2009-03-26
Updated
2009-04-16
The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin before 2.10.0.2 does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions. NOTE: it could be argued that this vulnerability is caused by a problem in PHP (CVE-2006-1549) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpMyAdmin.
Source: MITRE
Max CVSS
7.1
EPSS Score
4.41%
Published
2007-03-07
Updated
2011-03-08
phpMyAdmin before 2.9.1.1 allows remote attackers to bypass Allow/Deny access rules that use IP addresses via false headers.
Source: MITRE
Max CVSS
7.5
EPSS Score
1.27%
Published
2007-01-19
Updated
2011-03-08
Multiple CRLF injection vulnerabilities in PhpMyAdmin 2.7.0-pl2 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a phpMyAdmin cookie in (1) css/phpmyadmin.css.php, (2) db_create.php, (3) index.php, (4) left.php, (5) libraries/session.inc.php, (6) libraries/transformations/overview.php, (7) querywindow.php, (8) server_engines.php, and possibly other files.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.89%
Published
2006-12-07
Updated
2018-10-17
SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to execute arbitrary SQL commands via the sql_query parameter.
Source: MITRE
Max CVSS
7.5
EPSS Score
1.33%
Published
2006-04-18
Updated
2018-10-18
32 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!