The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of phpMyAdmin

computer vulnerability alert CVE-2019-6799

phpMyAdmin: file reading via AllowArbitraryServer

Synthesis of the vulnerability

A local attacker can read a file via AllowArbitraryServer of phpMyAdmin, in order to obtain sensitive information.
Impacted products: Debian, Fedora, openSUSE Leap, phpMyAdmin, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet server.
Creation date: 28/01/2019.
Identifiers: CVE-2019-6799, DLA-1692-1, FEDORA-2019-09ae31d880, FEDORA-2019-6cfd17b03d, openSUSE-SU-2019:0194-1, PMASA-2019-1, VIGILANCE-VUL-28376.

Description of the vulnerability

A local attacker can read a file via AllowArbitraryServer of phpMyAdmin, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-19968 CVE-2018-19969 CVE-2018-19970

phpMyAdmin: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of phpMyAdmin.
Impacted products: Debian, Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: client access/rights, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/12/2018.
Identifiers: CVE-2018-19968, CVE-2018-19969, CVE-2018-19970, DLA-1658-1, FEDORA-2018-088802878a, FEDORA-2018-5aeca60933, openSUSE-SU-2018:4124-1, openSUSE-SU-2018:4125-1, PMASA-2018-6, PMASA-2018-7, PMASA-2018-8, VIGILANCE-VUL-28001.

Description of the vulnerability

An attacker can use several vulnerabilities of phpMyAdmin.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-15605

phpMyAdmin: Cross Site Scripting via File Import Warning Messages

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Import Warning Messages of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 22/08/2018.
Identifiers: CERTFR-2018-AVI-404, CVE-2018-15605, FEDORA-2018-f2b24ce26e, openSUSE-SU-2018:2523-1, openSUSE-SU-2018:2525-1, openSUSE-SU-2018:2525-2, PMASA-2018-5, VIGILANCE-VUL-27059.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via warning messages before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Import Warning Messages of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-12613

phpMyAdmin: code execution via File Inclusion

Synthesis of the vulnerability

An attacker can use a vulnerability via File Inclusion of phpMyAdmin, in order to run code.
Impacted products: openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 22/06/2018.
Identifiers: CERTFR-2018-AVI-300, CVE-2018-12613, openSUSE-SU-2018:1806-1, openSUSE-SU-2018:1809-1, PMASA-2018-4, VIGILANCE-VUL-26500.

Description of the vulnerability

An attacker can use a vulnerability via File Inclusion of phpMyAdmin, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-12581

phpMyAdmin: Cross Site Scripting via Designer Feature

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 22/06/2018.
Identifiers: CERTFR-2018-AVI-300, CVE-2018-12581, FEDORA-2018-68349e3094, openSUSE-SU-2018:1806-1, openSUSE-SU-2018:1809-1, PMASA-2018-3, VIGILANCE-VUL-26499.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via Designer Feature before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-10188

phpMyAdmin: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of phpMyAdmin, in order to force the victim to perform operations.
Impacted products: openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 19/04/2018.
Identifiers: CVE-2018-10188, openSUSE-SU-2018:1058-1, openSUSE-SU-2018:1059-1, PMASA-2018-2, VIGILANCE-VUL-25934.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of phpMyAdmin, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-7260

phpMyAdmin: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 21/02/2018.
Identifiers: CERTFR-2018-AVI-093, CVE-2018-7260, FEDORA-2018-147d33439c, FEDORA-2018-a1650ed14f, openSUSE-SU-2018:0536-1, PMASA-2018-1, VIGILANCE-VUL-25340.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-1000499

phpMyAdmin: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of phpMyAdmin, in order to force the victim to perform operations.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 28/12/2017.
Identifiers: CERTFR-2018-AVI-001, CVE-2017-1000499, FEDORA-2017-481515e199, FEDORA-2017-cad79c7c6c, openSUSE-SU-2017:3448-1, openSUSE-SU-2017:3451-1, PMASA-2017-9, VIGILANCE-VUL-24897.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of phpMyAdmin, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-18264

phpMyAdmin: privilege escalation via AllowNoPassword

Synthesis of the vulnerability

An attacker can bypass restrictions via AllowNoPassword of phpMyAdmin, in order to escalate his privileges.
Impacted products: Debian, openSUSE Leap, phpMyAdmin.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 29/03/2017.
Identifiers: CVE-2017-18264, DLA-1415-1, openSUSE-SU-2017:1005-1, PMASA-2017-8, VIGILANCE-VUL-22287.

Description of the vulnerability

An attacker can bypass restrictions via AllowNoPassword of phpMyAdmin, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-8980 CVE-2017-1000013 CVE-2017-1000014

phpMyAdmin: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of phpMyAdmin.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 24/01/2017.
Identifiers: CVE-2015-8980, CVE-2017-1000013, CVE-2017-1000014, CVE-2017-1000015, CVE-2017-1000016, CVE-2017-1000017, CVE-2017-1000018, FEDORA-2017-294c23bb1d, FEDORA-2017-360e912fdb, openSUSE-SU-2017:0372-1, PMASA-2017-1, PMASA-2017-2, PMASA-2017-3, PMASA-2017-4, PMASA-2017-5, PMASA-2017-6, PMASA-2017-7, VIGILANCE-VUL-21658.

Description of the vulnerability

Several vulnerabilities were announced in phpMyAdmin.

An attacker can deceive the user via Request Path, in order to redirect him to a malicious site. [severity:1/4; CVE-2017-1000013, PMASA-2017-1]

An attacker can use a vulnerability via php-gettext, in order to run code. [severity:2/4; CVE-2015-8980, PMASA-2017-2]

An attacker can trigger a fatal error via Table Editing, in order to trigger a denial of service. [severity:2/4; CVE-2017-1000014, PMASA-2017-3]

An attacker can alter displayed information via CSS Injection, in order to deceive the victim. [severity:2/4; CVE-2017-1000015, PMASA-2017-4]

An attacker can alter Cookies. [severity:2/4; CVE-2017-1000016, PMASA-2017-5]

An attacker can bypass security features via Connect, in order to escalate his privileges. [severity:1/4; CVE-2017-1000017, PMASA-2017-6]

An attacker can trigger a fatal error via Replication Status, in order to trigger a denial of service. [severity:2/4; CVE-2017-1000018, PMASA-2017-7]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about phpMyAdmin: