Filtered by vendor Phpmyadmin
Subscribe
Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-2562 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 5.8 MEDIUM | 6.8 MEDIUM |
| The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2016-9866 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2016-5730 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. | |||||
| CVE-2011-3592 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the PMA_unInlineEditRow function in js/sql.js in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a (1) database name, (2) table name, or (3) column name that is not properly handled after an inline-editing operation. | |||||
| CVE-2016-6620 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2014-8959 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2025-04-12 | 6.5 MEDIUM | N/A |
| Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. | |||||
| CVE-2016-9854 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the json_decode issue. | |||||
| CVE-2016-4412 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 3.6 LOW | 4.4 MEDIUM |
| An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. | |||||
| CVE-2016-9861 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2011-3591 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted row that triggers an improperly constructed confirmation message after inline-editing and save operations, related to (1) js/functions.js and (2) js/tbl_structure.js. | |||||
| CVE-2016-6624 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-2561 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. | |||||
| CVE-2015-3903 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 4.3 MEDIUM | N/A |
| libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2015-2206 | 2 Fedoraproject, Phpmyadmin | 2 Fedora, Phpmyadmin | 2025-04-12 | 5.0 MEDIUM | N/A |
| libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. | |||||
| CVE-2015-6830 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 5.0 MEDIUM | N/A |
| libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. | |||||
| CVE-2016-5705 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. | |||||
| CVE-2016-9849 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2014-4348 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables. | |||||
| CVE-2016-6608 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. | |||||
| CVE-2016-5733 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. | |||||