ALT-PU-2023-7634-4 — phpMyAdmin

BDU:2022-01640

MEDIUM5.3

Уязвимость веб-интерфейса веб-приложения для администрирования cистем управления базами данных phpMyAdmin, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2022-03-31

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2022-0813

BDU:2023-07577

MEDIUM5.4

Уязвимость веб-приложения для администрирования cистем управления базами данных phpMyAdmin, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Published: 2023-11-10Modified: 2024-09-03

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

References

CVE-2023-25727

CVE-2020-22452

CRITICAL9.8

SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.

Published: 2023-01-26Modified: 2025-04-01

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2022-0813

HIGH7.5

PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.

Published: 2022-03-10Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

CVE-2022-23807

MEDIUM4.3

An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.

Published: 2022-01-22Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

CVE-2022-23808

MEDIUM6.1

An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.

Published: 2022-01-22Modified: 2025-05-05

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2023-25727

MEDIUM5.4

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.

Published: 2023-02-13Modified: 2025-11-03

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

GHSA-6hr3-44gx-g6wh

MEDIUM5.4

Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin

Published: 2023-02-13Modified: 2025-03-21

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

GHSA-8wf2-3ggj-78q9

MEDIUM4.3

Improper Authentication in phpmyadmin

Published: 2022-01-29Modified: 2024-04-22

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

GHSA-prcg-mc23-hgjh

CRITICAL9.8

phpmyadmin contains SQL Injection vulnerability

Published: 2023-01-27Modified: 2023-02-03

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-vcwc-6mr9-8m7c

MEDIUM6.1

Cross-site Scripting in phpmyadmin

Published: 2022-01-29Modified: 2024-04-22

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

GHSA-vx8q-j7h9-vf6q

HIGH7.5

Exposure of Sensitive Information to an Unauthorized Actor in PhpMyAdmin

Published: 2022-03-11Modified: 2024-04-22

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Package update phpMyAdmin in branch c9f2

Closed issues (12)

SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.

PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.

An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.

An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.

Cross-site Scripting vulnerability in drag-and-drop upload of phpMyAdmin

Improper Authentication in phpmyadmin

phpmyadmin contains SQL Injection vulnerability

Cross-site Scripting in phpmyadmin

Exposure of Sensitive Information to an Unauthorized Actor in PhpMyAdmin