Количество 1 093
Количество 1 093
GHSA-9ggj-rc46-h95f
Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter.
GHSA-9cxr-7vrj-vpj8
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.
GHSA-99xj-xqc9-98hr
phpMyAdmin SSRF in replication
GHSA-97x5-mp4j-qrgq
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.
GHSA-97pg-mf6p-74fr
Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code.
GHSA-97fm-cg55-639q
An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
GHSA-96fj-xvfq-8rxm
Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type.
GHSA-9645-6g72-2pv8
phpMyAdmin unsafely handles temporary files
GHSA-95j2-g4qr-3jj6
phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exists.lib.php, (11) charset_conversion.lib.php, (12) ufpdf.php, (13) mysqli.dbi.lib.php, (14) setup.php, or (15) cookie.auth.lib.php, which reveals the path in a PHP error message.
GHSA-95g8-x9vg-h9h4
The SQL install script in phpMyAdmin 2.6.2 is created with world-readable permissions, which allows local users to obtain the initial database password by reading the script.
GHSA-94c8-rc5m-5x39
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
GHSA-8wqv-f9xx-xf24
Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter.
GHSA-8wf2-3ggj-78q9
Improper Authentication in phpmyadmin
GHSA-8w5f-7346-5p5m
An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
GHSA-8vv2-p6c9-46c2
show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file.
GHSA-8pvh-2357-g3c2
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
GHSA-8m97-xc46-rw9w
phpMyAdmin Unsafe comparison of XSRF/CSRF token
GHSA-8m58-pwg7-52c3
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable."
GHSA-8hf4-h9w2-2g7p
Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request.
GHSA-8c4c-pxpc-3vv4
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
---|---|---|---|---|
GHSA-9ggj-rc46-h95f Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter. | 9% Низкий | больше 3 лет назад | ||
GHSA-9cxr-7vrj-vpj8 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI. | 11% Средний | больше 3 лет назад | ||
GHSA-99xj-xqc9-98hr phpMyAdmin SSRF in replication | CVSS3: 8.8 | 1% Низкий | около 3 лет назад | |
GHSA-97x5-mp4j-qrgq Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. | CVSS3: 6.1 | 0% Низкий | около 3 лет назад | |
GHSA-97pg-mf6p-74fr Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code. | 1% Низкий | больше 3 лет назад | ||
GHSA-97fm-cg55-639q An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | CVSS3: 6.8 | 1% Низкий | около 3 лет назад | |
GHSA-96fj-xvfq-8rxm Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type. | 4% Низкий | около 3 лет назад | ||
GHSA-9645-6g72-2pv8 phpMyAdmin unsafely handles temporary files | 3% Низкий | около 3 лет назад | ||
GHSA-95j2-g4qr-3jj6 phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exists.lib.php, (11) charset_conversion.lib.php, (12) ufpdf.php, (13) mysqli.dbi.lib.php, (14) setup.php, or (15) cookie.auth.lib.php, which reveals the path in a PHP error message. | 1% Низкий | больше 3 лет назад | ||
GHSA-95g8-x9vg-h9h4 The SQL install script in phpMyAdmin 2.6.2 is created with world-readable permissions, which allows local users to obtain the initial database password by reading the script. | 0% Низкий | больше 3 лет назад | ||
GHSA-94c8-rc5m-5x39 An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | CVSS3: 8.1 | 0% Низкий | около 3 лет назад | |
GHSA-8wqv-f9xx-xf24 Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter. | 10% Средний | больше 3 лет назад | ||
GHSA-8wf2-3ggj-78q9 Improper Authentication in phpmyadmin | CVSS3: 4.3 | 0% Низкий | больше 3 лет назад | |
GHSA-8w5f-7346-5p5m An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | CVSS3: 6.5 | 1% Низкий | около 3 лет назад | |
GHSA-8vv2-p6c9-46c2 show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. | 0% Низкий | около 3 лет назад | ||
GHSA-8pvh-2357-g3c2 An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | CVSS3: 8.1 | 0% Низкий | около 3 лет назад | |
GHSA-8m97-xc46-rw9w phpMyAdmin Unsafe comparison of XSRF/CSRF token | CVSS3: 7.5 | 1% Низкий | около 3 лет назад | |
GHSA-8m58-pwg7-52c3 ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable." | CVSS3: 6.1 | 8% Низкий | около 3 лет назад | |
GHSA-8hf4-h9w2-2g7p Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request. | 1% Низкий | около 3 лет назад | ||
GHSA-8c4c-pxpc-3vv4 Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter. | 1% Низкий | больше 3 лет назад |
Уязвимостей на страницу