Filtered by vendor Phpmyadmin
Subscribe
Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-6631 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 8.5 HIGH | 7.5 HIGH |
| An issue was discovered in phpMyAdmin. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-6614 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 4.3 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-4412 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 3.6 LOW | 4.4 MEDIUM |
| An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. | |||||
| CVE-2016-9864 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2016-9849 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2016-9858 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2016-6630 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-6625 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-5739 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. | |||||
| CVE-2016-5706 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. | |||||
| CVE-2016-5730 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. | |||||
| CVE-2016-5734 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. | |||||
| CVE-2016-5097 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. | |||||
| CVE-2016-5703 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. | |||||
| CVE-2016-2038 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | |||||
| CVE-2015-8669 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | |||||
| CVE-2015-3903 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 4.3 MEDIUM | N/A |
| libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2016-5732 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. | |||||
| CVE-2016-2561 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. | |||||
| CVE-2016-5702 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 4.3 MEDIUM | 3.7 LOW |
| phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. | |||||