U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.3:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 39 matching records.
Displaying matches 21 through 39.
Vuln ID Summary CVSS Severity
CVE-2008-4326

The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence.

Published: September 30, 2008; 12:13:50 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-4096

libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.

Published: September 18, 2008; 11:04:27 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 8.5 HIGH
CVE-2008-3456

phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack.

Published: August 04, 2008; 3:41:00 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2008-3457

Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php.

Published: August 04, 2008; 3:41:00 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2008-1924

Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable.

Published: April 23, 2008; 12:05:00 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2008-1567

phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information.

Published: March 31, 2008; 6:44:00 PM -0400
V4.0:(not available)
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2008-1149

phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies.

Published: March 04, 2008; 6:44:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2007-6100

Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authenticated with the cookie auth_type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992.

Published: November 23, 2007; 3:46:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2007-5976

SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to execute arbitrary SQL commands via the db parameter.

Published: November 14, 2007; 7:46:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 6.5 MEDIUM
CVE-2007-5977

Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942.

Published: November 14, 2007; 7:46:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2007-5589

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.

Published: October 19, 2007; 7:17:00 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2007-1325

The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin before 2.10.0.2 does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions. NOTE: it could be argued that this vulnerability is caused by a problem in PHP (CVE-2006-1549) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpMyAdmin.

Published: March 07, 2007; 4:19:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 7.1 HIGH
CVE-2006-6942

Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php.

Published: January 18, 2007; 9:28:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2006-6943

PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php; and via the (1) lang[], (2) target[], (3) db[], (4) goto[], (5) table[], and (6) tbl_group[] array arguments to (c) index.php, and the (7) back[] argument to (d) sql.php; and an invalid (8) sort_by parameter to (e) server_databases.php and (9) db parameter to (f) db_printview.php.

Published: January 18, 2007; 9:28:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2006-6944

phpMyAdmin before 2.9.1.1 allows remote attackers to bypass Allow/Deny access rules that use IP addresses via false headers.

Published: January 18, 2007; 9:28:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-0203

Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors.

Published: January 11, 2007; 6:28:00 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2007-0204

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information.

Published: January 11, 2007; 6:28:00 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2006-1803

Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter.

Published: April 18, 2006; 6:02:00 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2001-0478

Directory traversal vulnerability in phpMyAdmin 2.2.0 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script.

Published: June 27, 2001; 12:00:00 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH