phpMyAdmin XSS Vulnerability

An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are...

GHSA-3HW5-FFFC-QRG4 phpMyAdmin Denial of Service (DoS)

An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg'AllowArbitraryServer'=true. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

phpMyAdmin Denial of Service (DoS)

An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg'AllowArbitraryServer'=true. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

GHSA-R326-MP8G-6XFC phpMyAdmin Bypass white-list protection for URL redirection

An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

phpMyAdmin DoS Vulnerability

An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service DoS attack. All 4.6.x versions prior to 4.6.5 are affected...

GHSA-QGRQ-64G6-MMH6 phpMyAdmin DoS Vulnerability

An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service DoS attack. All 4.6.x versions prior to 4.6.5 are affected...

phpMyAdmin CSRF Vulnerability

An issue was discovered in phpMyAdmin. When the argseparator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to...

GHSA-JVXX-8XXF-5495 phpMyAdmin CSRF Vulnerability

An issue was discovered in phpMyAdmin. When the argseparator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to...

phpMyAdmin Cookie attribute injection attack

A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18...

GHSA-J2CQ-H6V2-F875 phpMyAdmin Cookie attribute injection attack

A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18...

phpMyAdmin allows remote attackers to obtain installation path via direct request for nonexistent file

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the 1 README, 2 ChangeLog, and 3 LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file...

GHSA-WCMM-28RG-MG3R phpMyAdmin allows remote attackers to obtain installation path via direct request for nonexistent file

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the 1 README, 2 ChangeLog, and 3 LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file...

phpMyAdmin Directory Traversal Vulnerability

Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to 1...

GHSA-XHQQ-554J-P4X8 phpMyAdmin Directory Traversal Vulnerability

Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to 1...

phpMyAdmin vulnerable to XML external entity (XXE) injection attack

The simplexmlloadstring function in the XML import plug-in libraries/import/xml.php in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity XXE injection...

GHSA-Q4MM-89Q2-XFFG phpMyAdmin vulnerable to XML external entity (XXE) injection attack

The simplexmlloadstring function in the XML import plug-in libraries/import/xml.php in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity XXE injection...

GHSA-2H23-C973-X63Q phpMyAdmin Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter...

phpMyAdmin Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter...

GHSA-GQMJ-F46X-WQHW phpMyAdmin Cross-site scripting (XSS) vulnerability in central columns feature

Cross-site scripting XSS vulnerability in dbcentralcolumns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...

phpMyAdmin Cross-site scripting (XSS) vulnerability in central columns feature

Cross-site scripting XSS vulnerability in dbcentralcolumns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL...