Critical severity9.8NVD Advisory· Published May 1, 2018· Updated Jun 17, 2026
CVE-2017-18264
CVE-2017-18264
Description
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.0, < 4.0.10.20 | 4.0.10.20 |
phpmyadmin/phpmyadminPackagist | >= 4.7.0-beta1, < 4.7.0 | 4.7.0 |
phpmyadmin/phpmyadminPackagist | >= 4.4.0, <= 4.4.15.10 | — |
phpmyadmin/phpmyadminPackagist | >= 4.6.0, <= 4.6.6 | — |
Affected products
1Patches
Vulnerability mechanics
References
6- www.phpmyadmin.net/security/PMASA-2017-8/nvdPatchVendor Advisory
- www.securityfocus.com/bid/97211nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-5868-g58j-vrj5ghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/07/msg00006.htmlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-18264ghsaADVISORY
- www.phpmyadmin.net/security/PMASA-2017-8ghsaWEB
News mentions
0No linked articles in our index yet.