CVE-2011-2507
Description
Authenticated users can execute arbitrary PHP code via injection of a PCRE e modifier in phpMyAdmin's Synchronize implementation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can execute arbitrary PHP code via injection of a PCRE e modifier in phpMyAdmin's Synchronize implementation.
Vulnerability
The libraries/server_synchronize.lib.php file in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, allowing injection of the PCRE e (PREG_REPLACE_EVAL) modifier. Affected versions include 3.0.x through 3.3.10.1 and 3.4.x through 3.4.3.0.
Exploitation
An attacker must be authenticated and able to modify the $_SESSION superglobal, which can be achieved via a separate vulnerability (e.g., CVE-2011-2505) [1]. By setting specific session values, the attacker injects the e modifier into a preg_replace call, enabling arbitrary PHP code execution.
Impact
Successful exploitation allows arbitrary PHP code execution within the context of the web server, leading to full compromise of the phpMyAdmin installation and potentially the underlying system.
Mitigation
Fixed in phpMyAdmin 3.3.10.2 and 3.4.3.1 [3]. Users should upgrade to these versions immediately. No workaround has been disclosed; upgrading is the only recommended mitigation.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
49cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- (no CPE)range: >=3.0, <3.3.10.2 || >=3.4.0, <3.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- www.phpmyadmin.net/home_page/security/PMASA-2011-7.phpnvdPatchVendor Advisory
- ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlnvdExploit
- ha.xxor.se/2011/07/phpmyadmin-3x-pregreplace-rce-poc.htmlnvdExploit
- secunia.com/advisories/45139nvdVendor Advisory
- 0x6a616d6573.blogspot.com/2011/07/phpmyadmin-fud.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.htmlnvd
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvd
- secunia.com/advisories/45292nvd
- secunia.com/advisories/45315nvd
- securityreason.com/securityalert/8306nvd
- typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/nvd
- www.debian.org/security/2011/dsa-2286nvd
- www.mandriva.com/security/advisoriesnvd
- www.openwall.com/lists/oss-security/2011/06/28/2nvd
- www.openwall.com/lists/oss-security/2011/06/28/6nvd
- www.openwall.com/lists/oss-security/2011/06/28/8nvd
- www.openwall.com/lists/oss-security/2011/06/29/11nvd
- www.osvdb.org/73613nvd
- www.securityfocus.com/archive/1/518804/100/0/threadednvd
- www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txtnvd
News mentions
0No linked articles in our index yet.