228 matches found
Multiple XSS vulnerabilities
PMASA-2016-30 Announcement-ID: PMASA-2016-30 Date: 2016-07-07 Updated: 2016-11-24 Summary Multiple XSS vulnerabilities Description Multiple vulnerabilities have been discovered in the following areas of phpMyAdmin: Zoom search: Specially crafted column content can be used to trigger an XSS attack...
XSS in table Print view.
PMASA-2011-9 Announcement-ID: PMASA-2011-9 Date: 2011-07-23 Summary XSS in table Print view. Description The attacker must trick the victim into clicking a link that reaches phpMyAdmin's table print view script; one of the link's parameters is a crafted table name the name containing Javascript...
URL redirection to untrusted site.
PMASA-2011-4 Announcement-ID: PMASA-2011-4 Date: 2011-05-22 Summary URL redirection to untrusted site. Description It was possible to redirect to an arbitrary, untrusted site, leading to a possible phishing attack. Severity We consider this vulnerability to be serious. Affected Versions The 3.4.0...
XSRF (Cross Site Request Forgery) vulnerabilities
PMASA-2006-5 Announcement-ID: PMASA-2006-5 Date: 2006-10-01 Summary XSRF Cross Site Request Forgery vulnerabilities Description We received a security advisory from Stefan Esser [email protected] and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by...
A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks and / or perform remote file inclusion.
PMASA-2005-1 Announcement-ID: PMASA-2005-1 Date: 2005-02-25 Summary A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks and / or perform remote file inclusion. Description We received two bug reports by Maksymilian...
Detect if user is logged in
PMASA-2016-48 Announcement-ID: PMASA-2016-48 Date: 2016-07-24 Summary Detect if user is logged in Description A vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerabilit...
Multiple full path disclosure vulnerabilities
PMASA-2016-23 Announcement-ID: PMASA-2016-23 Date: 2016-06-23 Summary Multiple full path disclosure vulnerabilities Description This PMASA contains information on multiple full-path disclosure vulnerabilities reported in phpMyAdmin. By specially crafting requests in the following areas, it is...
Multiple XSS vulnerabilities.
PMASA-2016-3 Announcement-ID: PMASA-2016-3 Date: 2016-01-24 Summary Multiple XSS vulnerabilities. Description With a crafted table name it is possible to trigger an XSS attack in the database search page. With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks...
Access for an unprivileged user to MySQL user list.
PMASA-2014-7 Announcement-ID: PMASA-2014-7 Date: 2014-07-17 Summary Access for an unprivileged user to MySQL user list. Description An unpriviledged user could view the MySQL user list and manipulate the tabs displayed in phpMyAdmin for them. Severity We consider this vulnerability to be non...
ClickJacking protection can be bypassed.
PMASA-2013-10 Announcement-ID: PMASA-2013-10 Date: 2013-08-04 Updated: 2013-08-05 Summary ClickJacking protection can be bypassed. Description phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however these mechanisms either work only in modern browser versions, or can be...
XSS attack in database search.
PMASA-2010-8 Announcement-ID: PMASA-2010-8 Date: 2010-11-29 Summary XSS attack in database search. Description It was possible to conduct a XSS attack using spoofed request on the db search script. Severity We consider this vulnerability to be non critical. Affected Versions For 3.x: versions...
Insufficient output sanitizing when generating configuration file.
PMASA-2009-4 Announcement-ID: PMASA-2009-4 Date: 2009-04-14 Summary Insufficient output sanitizing when generating configuration file. Description Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file...
HTTP Response Splitting vulnerability
PMASA-2007-1 Announcement-ID: PMASA-2007-1 Date: 2007-01-16 Summary HTTP Response Splitting vulnerability Description On systems running PHP 5 before 5.1.2 or PHP 4 before 4.4.2, it is possible to trigger this vulnerability by editing the cookie containing PHP's session id. This can be used to se...
Denial of service (DOS) attack by changing password to a very long string
PMASA-2016-53 Announcement-ID: PMASA-2016-53 Date: 2016-07-25 Summary Denial of service DOS attack by changing password to a very long string Description An authenticated user can trigger a denial-of-service DOS attack by entering a very long password at the change password dialog. Severity We...
XSS vulnerabilities in SQL debug output and server monitor page.
PMASA-2014-12 Announcement-ID: PMASA-2014-12 Date: 2014-10-21 Summary XSS vulnerabilities in SQL debug output and server monitor page. Description With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and...
Global variable scope injection.
PMASA-2013-7 Announcement-ID: PMASA-2013-7 Date: 2013-06-30 Updated: 2013-07-01 Summary Global variable scope injection. Description The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter. Severity We consider this...
Unsafe handling of temporary files
PMASA-2010-2 Announcement-ID: PMASA-2010-2 Date: 2010-01-15 Summary Unsafe handling of temporary files Description phpMyAdmin created temporary files with predictable file name. Severity We consider these vulnerabilities to be not critical. Affected Versions For 2.11.x: versions before 2.11.10 ar...
Local file exposure
PMASA-2016-35 Announcement-ID: PMASA-2016-35 Date: 2016-07-12 Summary Local file exposure Description A vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. Severity We consider this vulnerability to be...
SQL query could be executed under another user.
PMASA-2011-2 Announcement-ID: PMASA-2011-2 Date: 2011-02-11 Summary SQL query could be executed under another user. Description It was possible to create a bookmark which would be executed unintentionally by other users. Severity We consider this vulnerability to be critical. Mitigation factor To...
Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks.
PMASA-2004-3 Announcement-ID: PMASA-2004-3 Date: 2004-11-18 Summary Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks. Description We received a security advisory from Cedric Cochin netvigilance.com about those...
File Traversal Protection Bypass on Error Reporting
PMASA-2016-15 Announcement-ID: PMASA-2016-15 Date: 2016-05-25 Updated: 2016-05-26 Summary File Traversal Protection Bypass on Error Reporting Description A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the...
Path disclosure when some files have been removed.
PMASA-2011-1 Announcement-ID: PMASA-2011-1 Date: 2011-02-08 Summary Path disclosure when some files have been removed. Description When the files README, ChangeLog or LICENSE have been removed from their original place possibly by the distributor, the scripts used to display these files can show...
Unsafe handling of temporary directory
PMASA-2010-1 Announcement-ID: PMASA-2010-1 Date: 2010-01-15 Summary Unsafe handling of temporary directory Description phpMyAdmin used to automatically create temporary world writable directory what could lead to possible misuse of it. Severity We consider these vulnerabilities to be not critical...
XSS vulnerability
PMASA-2009-5 Announcement-ID: PMASA-2009-5 Date: 2009-06-30 Summary XSS vulnerability Description It was possible to conduct an XSS attack via a crafted SQL bookmark. Severity We consider this vulnerability to be serious. Affected Versions For 2.11.x: versions are not affected. For 3.x: All 3.x...
XSS on Insert page
PMASA-2025-2 Announcement-ID: PMASA-2025-2 Date: 2025-01-20 Updated: 2025-01-23 Summary XSS on Insert page Description An XSS vulnerability has been discovered with the phpMyAdmin "Insert" tab. Severity We consider this vulnerability to be of moderate severity. Affected Versions phpMyAdmin versio...
XSS vulnerabilities
PMASA-2006-2 Announcement-ID: PMASA-2006-2 Date: 2006-05-12 Summary XSS vulnerabilities Description 1. It was possible to conduct an XSS attack with a crafted lang or theme parameter. 2. The db parameter was also vulnerable to an XSS attack. Severity We consider these vulnerabilities to be...
Multiple XSS.
PMASA-2011-14 Announcement-ID: PMASA-2011-14 Date: 2011-09-14 Summary Multiple XSS. Description Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities...
(1) Local file inclusion vulnerability and (2) Cross-Site Scripting vulnerability
PMASA-2005-5 Announcement-ID: PMASA-2005-5 Date: 2005-10-22 Updated: 2005-10-25 Summary 1 Local file inclusion vulnerability and 2 Cross-Site Scripting vulnerability Description We received a security advisory from Stefan Esser [email protected] about 1. We received a security advisory from...