CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.9%
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an
attacker can include (view and potentially execute) files on the server.
The vulnerability comes from a portion of code where pages are redirected
and loaded within phpMyAdmin, and an improper test for whitelisted pages.
An attacker must be authenticated, except in the
“$cfg[‘AllowArbitraryServer’] = true” case (where an attacker can specify
any host he/she is already in control of, and execute arbitrary code on
phpMyAdmin) and the “$cfg[‘ServerDefault’] = 0” case (which bypasses the
login requirement and runs the vulnerable code without any authentication).
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.9%