CVE-2018-19969
Description
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin 4.7.x and 4.8.x prior to 4.8.4 are vulnerable to multiple CSRF flaws that allow an attacker to perform harmful SQL operations by deceiving a user into clicking a crafted URL.
Vulnerability
phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected by a series of cross-site request forgery (CSRF) vulnerabilities [1][2]. The flaws exist in various actions that lack proper CSRF token validation, allowing an attacker to craft a malicious URL and trick an authenticated user into visiting it [1][2]. The attack can be executed against any user who has an active phpMyAdmin session [1].
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL that points to specific phpMyAdmin actions (e.g., renaming databases, creating tables, adding/deleting users, updating passwords) and then deceiving an authenticated user into clicking the link [1][2]. No special network position or authentication is needed; the attacker only needs to lure the user, who must be logged into phpMyAdmin. The action is executed in the context of the victim's session [1][2].
Impact
Successful exploitation allows the attacker to perform harmful SQL operations such as renaming databases, creating new tables or routines, deleting designer pages, adding or deleting users, updating user passwords, and killing SQL processes [1][2]. This could lead to unauthorized data modification, privilege escalation, or denial of service within the database managed by phpMyAdmin [2].
Mitigation
Upgrade to phpMyAdmin version 4.8.4 or later, which was released on December 7, 2018, and contains the fix [2][3]. Patches are also available via multiple commits on the 4.8 branch [2]. For Gentoo Linux users, the package should be upgraded to >=dev-db/phpmyadmin-4.8.4 [4]. No workaround is available for unpatched versions [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.8, < 4.8.4 | 4.8.4 |
phpmyadmin/phpmyadminPackagist | >= 4.7, <= 4.7.6 | — |
Affected products
3- Range: >=4.7.0, <4.8.4
- ghsa-coords2 versions
>= 4.8, < 4.8.4+ 1 more
- (no CPE)range: >= 4.8, < 4.8.4
- (no CPE)range: < 5.1.1-1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-xwf2-53mc-r8hxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19969ghsaADVISORY
- security.gentoo.org/glsa/201904-16ghsavendor-advisoryx_refsource_GENTOOWEB
- www.securityfocus.com/bid/106175mitrevdb-entryx_refsource_BID
- web.archive.org/web/20210124223800/https://www.securityfocus.com/bid/106175ghsaWEB
- www.phpmyadmin.net/security/PMASA-2018-7ghsaWEB
- www.phpmyadmin.net/security/PMASA-2018-7/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.