Arbitrary file read vulnerability

PMASA-2019-1 Announcement-ID: PMASA-2019-1 Date: 2019-01-21 Summary Arbitrary file read vulnerability Description When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. phpMyadmi...

Self XSS in central columns feature

PMASA-2018-1 Announcement-ID: PMASA-2018-1 Date: 2018-02-20 Summary Self XSS in central columns feature Description A self-cross site scripting XSS vulnerability has been reported relating to the central columns feature. Severity We consider this vulnerability to be of moderate severity. Mitigati...

Unsafe generation of blowfish secret

PMASA-2016-58 Announcement-ID: PMASA-2016-58 Date: 2016-11-25 Updated: 2016-12-06 Summary Unsafe generation of blowfish secret Description When the user does not specify a blowfishsecret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way th...

Remote code execution vulnerability when PHP is running with dbase extension

PMASA-2016-56 Announcement-ID: PMASA-2016-56 Date: 2016-07-25 Summary Remote code execution vulnerability when PHP is running with dbase extension Description A vulnerability was discovered where phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations...

Detect if user is logged in

PMASA-2016-48 Announcement-ID: PMASA-2016-48 Date: 2016-07-24 Summary Detect if user is logged in Description A vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerabilit...

Multiple full path disclosure vulnerabilities

PMASA-2016-23 Announcement-ID: PMASA-2016-23 Date: 2016-06-23 Summary Multiple full path disclosure vulnerabilities Description This PMASA contains information on multiple full-path disclosure vulnerabilities reported in phpMyAdmin. By specially crafting requests in the following areas, it is...

Multiple XSS vulnerabilities.

PMASA-2016-3 Announcement-ID: PMASA-2016-3 Date: 2016-01-24 Summary Multiple XSS vulnerabilities. Description With a crafted table name it is possible to trigger an XSS attack in the database search page. With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks...

ClickJacking protection can be bypassed.

PMASA-2013-10 Announcement-ID: PMASA-2013-10 Date: 2013-08-04 Updated: 2013-08-05 Summary ClickJacking protection can be bypassed. Description phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however these mechanisms either work only in modern browser versions, or can be...

XSS attack in database search.

PMASA-2010-8 Announcement-ID: PMASA-2010-8 Date: 2010-11-29 Summary XSS attack in database search. Description It was possible to conduct a XSS attack using spoofed request on the db search script. Severity We consider this vulnerability to be non critical. Affected Versions For 3.x: versions...

Insufficient output sanitizing when generating configuration file.

PMASA-2009-4 Announcement-ID: PMASA-2009-4 Date: 2009-04-14 Summary Insufficient output sanitizing when generating configuration file. Description Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file...

HTTP Response Splitting vulnerability

PMASA-2007-1 Announcement-ID: PMASA-2007-1 Date: 2007-01-16 Summary HTTP Response Splitting vulnerability Description On systems running PHP 5 before 5.1.2 or PHP 4 before 4.4.2, it is possible to trigger this vulnerability by editing the cookie containing PHP's session id. This can be used to se...

A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks and / or perform remote file inclusion.

PMASA-2005-1 Announcement-ID: PMASA-2005-1 Date: 2005-02-25 Summary A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks and / or perform remote file inclusion. Description We received two bug reports by Maksymilian...

Denial of service (DOS) attack by changing password to a very long string

PMASA-2016-53 Announcement-ID: PMASA-2016-53 Date: 2016-07-25 Summary Denial of service DOS attack by changing password to a very long string Description An authenticated user can trigger a denial-of-service DOS attack by entering a very long password at the change password dialog. Severity We...

XSS vulnerabilities in SQL debug output and server monitor page.

PMASA-2014-12 Announcement-ID: PMASA-2014-12 Date: 2014-10-21 Summary XSS vulnerabilities in SQL debug output and server monitor page. Description With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and...

Access for an unprivileged user to MySQL user list.

PMASA-2014-7 Announcement-ID: PMASA-2014-7 Date: 2014-07-17 Summary Access for an unprivileged user to MySQL user list. Description An unpriviledged user could view the MySQL user list and manipulate the tabs displayed in phpMyAdmin for them. Severity We consider this vulnerability to be non...

Global variable scope injection.

PMASA-2013-7 Announcement-ID: PMASA-2013-7 Date: 2013-06-30 Updated: 2013-07-01 Summary Global variable scope injection. Description The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter. Severity We consider this...

Unsafe handling of temporary files

PMASA-2010-2 Announcement-ID: PMASA-2010-2 Date: 2010-01-15 Summary Unsafe handling of temporary files Description phpMyAdmin created temporary files with predictable file name. Severity We consider these vulnerabilities to be not critical. Affected Versions For 2.11.x: versions before 2.11.10 ar...

Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks.

PMASA-2004-3 Announcement-ID: PMASA-2004-3 Date: 2004-11-18 Summary Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks. Description We received a security advisory from Cedric Cochin netvigilance.com about those...

Local file exposure

PMASA-2016-35 Announcement-ID: PMASA-2016-35 Date: 2016-07-12 Summary Local file exposure Description A vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. Severity We consider this vulnerability to be...

SQL query could be executed under another user.

PMASA-2011-2 Announcement-ID: PMASA-2011-2 Date: 2011-02-11 Summary SQL query could be executed under another user. Description It was possible to create a bookmark which would be executed unintentionally by other users. Severity We consider this vulnerability to be critical. Mitigation factor To...

File Traversal Protection Bypass on Error Reporting

PMASA-2016-15 Announcement-ID: PMASA-2016-15 Date: 2016-05-25 Updated: 2016-05-26 Summary File Traversal Protection Bypass on Error Reporting Description A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the...

Path disclosure when some files have been removed.

PMASA-2011-1 Announcement-ID: PMASA-2011-1 Date: 2011-02-08 Summary Path disclosure when some files have been removed. Description When the files README, ChangeLog or LICENSE have been removed from their original place possibly by the distributor, the scripts used to display these files can show...

Unsafe handling of temporary directory

PMASA-2010-1 Announcement-ID: PMASA-2010-1 Date: 2010-01-15 Summary Unsafe handling of temporary directory Description phpMyAdmin used to automatically create temporary world writable directory what could lead to possible misuse of it. Severity We consider these vulnerabilities to be not critical...

XSS vulnerability

PMASA-2009-5 Announcement-ID: PMASA-2009-5 Date: 2009-06-30 Summary XSS vulnerability Description It was possible to conduct an XSS attack via a crafted SQL bookmark. Severity We consider this vulnerability to be serious. Affected Versions For 2.11.x: versions are not affected. For 3.x: All 3.x...

XSS vulnerabilities

PMASA-2006-2 Announcement-ID: PMASA-2006-2 Date: 2006-05-12 Summary XSS vulnerabilities Description 1. It was possible to conduct an XSS attack with a crafted lang or theme parameter. 2. The db parameter was also vulnerable to an XSS attack. Severity We consider these vulnerabilities to be...

XSS on Insert page

PMASA-2025-2 Announcement-ID: PMASA-2025-2 Date: 2025-01-20 Updated: 2025-01-23 Summary XSS on Insert page Description An XSS vulnerability has been discovered with the phpMyAdmin "Insert" tab. Severity We consider this vulnerability to be of moderate severity. Affected Versions phpMyAdmin versio...

Multiple XSS.

PMASA-2011-14 Announcement-ID: PMASA-2011-14 Date: 2011-09-14 Summary Multiple XSS. Description Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities...

(1) Local file inclusion vulnerability and (2) Cross-Site Scripting vulnerability

PMASA-2005-5 Announcement-ID: PMASA-2005-5 Date: 2005-10-22 Updated: 2005-10-25 Summary 1 Local file inclusion vulnerability and 2 Cross-Site Scripting vulnerability Description We received a security advisory from Stefan Esser [email protected] about 1. We received a security advisory from...