phpMyAdmin
by PhpMyAdmin
Source repositories
CVEs (257)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-5730 | Med | 0.28 | 5.3 | 0.03 | Jul 3, 2016 | phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a… | ||
| CVE-2016-2559 | Med | 0.28 | 5.4 | 0.02 | Mar 1, 2016 | Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. | ||
| CVE-2016-2045 | Med | 0.28 | 5.4 | 0.02 | Feb 20, 2016 | Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response. | ||
| CVE-2016-2044 | Med | 0.28 | 5.3 | 0.02 | Feb 20, 2016 | libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | ||
| CVE-2016-2043 | Med | 0.28 | 5.4 | 0.01 | Feb 20, 2016 | Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. | ||
| CVE-2016-2042 | Med | 0.28 | 5.3 | 0.02 | Feb 20, 2016 | phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. | ||
| CVE-2016-2040 | Med | 0.28 | 5.4 | 0.02 | Feb 20, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname… | ||
| CVE-2016-2039 | Med | 0.28 | 5.3 | 0.02 | Feb 20, 2016 | libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. | ||
| CVE-2016-2038 | Med | 0.28 | 5.3 | 0.03 | Feb 20, 2016 | phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | ||
| CVE-2015-8669 | Med | 0.28 | 5.3 | 0.02 | Dec 26, 2015 | libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | ||
| CVE-2016-5702 | Low | 0.17 | 3.7 | 0.02 | Jul 3, 2016 | phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. | ||
| CVE-2012-5159 | 0.09 | — | 0.75 | Sep 25, 2012 | phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack. | |||
| CVE-2019-6799 | 0.06 | — | 0.16 | Jan 26, 2019 | An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the… | |||
| CVE-2012-5469 | 0.05 | — | 0.24 | Dec 20, 2012 | The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. | |||
| CVE-2009-1285 | 0.04 | — | 0.11 | Apr 16, 2009 | Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files. | |||
| CVE-2008-4096 | 0.04 | — | 0.11 | Sep 18, 2008 | libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function. | |||
| CVE-2005-3299 | 0.04 | — | 0.16 | Oct 23, 2005 | PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. | |||
| CVE-2004-1147 | 0.04 | — | 0.12 | Jan 10, 2005 | phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters. | |||
| CVE-2004-2631 | 0.04 | — | 0.09 | Dec 31, 2004 | Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name. | |||
| CVE-2004-0129 | 0.04 | — | 0.09 | Mar 3, 2004 | Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. |
- risk 0.28cvss 5.3epss 0.03
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a…
- risk 0.28cvss 5.4epss 0.02
Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.
- risk 0.28cvss 5.4epss 0.02
Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response.
- risk 0.28cvss 5.3epss 0.02
libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
- risk 0.28cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page.
- risk 0.28cvss 5.3epss 0.02
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message.
- risk 0.28cvss 5.4epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname…
- risk 0.28cvss 5.3epss 0.02
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.
- risk 0.28cvss 5.3epss 0.03
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
- risk 0.28cvss 5.3epss 0.02
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
- risk 0.17cvss 3.7epss 0.02
phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.
- CVE-2012-5159Sep 25, 2012risk 0.09cvss —epss 0.75
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.
- CVE-2019-6799Jan 26, 2019risk 0.06cvss —epss 0.16
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the…
- CVE-2012-5469Dec 20, 2012risk 0.05cvss —epss 0.24
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.
- CVE-2009-1285Apr 16, 2009risk 0.04cvss —epss 0.11
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files.
- CVE-2008-4096Sep 18, 2008risk 0.04cvss —epss 0.11
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.
- CVE-2005-3299Oct 23, 2005risk 0.04cvss —epss 0.16
PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
- CVE-2004-1147Jan 10, 2005risk 0.04cvss —epss 0.12
phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters.
- CVE-2004-2631Dec 31, 2004risk 0.04cvss —epss 0.09
Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name.
- CVE-2004-0129Mar 3, 2004risk 0.04cvss —epss 0.09
Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.
Page 5 of 13