4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
62.0%
Adminer is open-source database management software. A cross-site scripting
vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL,
MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in
all modern browsers. The only exception is when Adminer is using a pdo_
extension to communicate with the database (it is used if the native
extensions are not enabled). In browsers without CSP, Adminer versions
4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1.
As workarounds, one can use a browser supporting strict CSP or enable the
native PHP extensions (e.g. mysqli
) or disable displaying PHP errors
(display_errors
).
github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7
github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc
launchpad.net/bugs/cve/CVE-2021-29625
nvd.nist.gov/vuln/detail/CVE-2021-29625
security-tracker.debian.org/tracker/CVE-2021-29625
sourceforge.net/p/adminer/bugs-and-features/797/
ubuntu.com/security/notices/USN-5271-1
www.cve.org/CVERecord?id=CVE-2021-29625
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
62.0%