CVSS: 6.8EPSS: 2%CPEs: 5EXPL: 0CVE-2011-2643
https://notcve.org/view.php?id=CVE-2011-2643
Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x before 3.4.3.2, when configuration storage is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a MIME-type transformation parameter. Vulnerabilidad de directorio transversal en sql.php en phpMyAdmin v3.4.x anterior a v3.4.3.2, cuando la configuración de almacenamiento está activa, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través de secuencias de salto de directorio en una transformación del parámetro MIME-type. • http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=f63e1bb42a37401b2fdfcd2e66cce92b7ea2025c http://secunia.com/advisories/45365 http://secunia.com/advisories/45515 http://www.mandriva.com/security/advisories?name=MDVSA-2011:124 http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php http://www.securityfocus • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2011-2718
https://notcve.org/view.php?id=CVE-2011-2718
Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php. Múltiples vulnerabilidades de salto de directorio en la implementación del esquema relacional en phpMyAdmin v3.4.x anterior a v3.4.3.2 permite a usuarios autenticados de forma remota incluir y ejecutar ficheros locales a través de secuencias de salto de directorio en el campo tipo, relacionado con (1)libraries/schema/User_Schema.class.php y (2)schema_export.php. • http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html http://osvdb.org/74111 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=3ae58f0cd6b89ad4767920f9b214c38d3f6d4393 http://secunia.com/advisories/45365 http://secunia.com/advisories/45515 http://www.mandriva.com/security/advisories?name=MDVSA-2011:124 http://www.openwall.com/lists/oss-security/2011/07/25/4& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 2.6EPSS: 0%CPEs: 75EXPL: 0CVE-2011-2642
https://notcve.org/view.php?id=CVE-2011-2642
Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la vista de implementación en la tabla Print en tbl_printview.php en phpMyAdmin anterior a v3.3.10.3 y v3.4.x anterior a v3.4.3.2 permite a usuarios autenticados de forma remota inyectar código script web de su elección o HTML a través de un nombre de tabla manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=4bd27166c314faa37cada91533b86377f4d4d214 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=a0823be05aa5835f207c0838b9cca67d2d9a050a http://secunia.com/advisories/45315 http://secunia.com/advisories/45365 http://secunia.com/advisories/45515 http • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 2%CPEs: 50EXPL: 0CVE-2011-2719
https://notcve.org/view.php?id=CVE-2011-2719
libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505. libraries/auth/swekey/swekey.auth.lib.php en phpMyAdmin v3.x anterior a v3.3.10.3 y v3.4.x anterior a v3.4.3.2 no maneja adecuadamente sesiones asociadas con autenticación Swekey, lo que permite a atacantes remotos modificar el array superglobal SESSION, otros arrays superglobal y ciertas variables locales swekey.auth.lib.php a través de consultas de cadenas manipuladas, relacionado con CVE-2011-2505. • http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html http://osvdb.org/74112 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=571cdc6ff4bf375871b594f4e06f8ad3159d1754 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=e7bb42c002885c2aca7aba4d431b8c63ae4de9b7 http://seclists.org/fulldisclosure/2011/Jul/300 http://secunia.com/advisories/45315 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 14%CPEs: 48EXPL: 4CVE-2011-2505 – phpMyAdmin3 (pma3) - Remote Code Execution
https://notcve.org/view.php?id=CVE-2011-2505
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability." libraries/auth/swekey/swekey.auth.lib.php en la función de autenticación Swekey en phpMyAdmin v3.x anterior a v3.3.10.2 y v3.4.x anterior a v3.4.3.1 asigna valores a parámetros arbitrarios referenciados en la cadena de consulta, permitiendo a atacantes remotos modificar el array superglobal SESIÓN a través de una solicitud manipulada, relacionado con "vulnerabilidad de manipulación de variable remota" phpMyAdmin version 3.x suffers from multiple remote code execution vulnerabilities. • https://www.exploit-db.com/exploits/17510 https://www.exploit-db.com/exploits/17514 http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=7ebd958b2bf59f96fecd5b3322bdbd0b244a7967 http://secunia.com/advisories/45139 http://secunia.com/advisories/45292 http://secunia.com/advisories/45315 http://securityreason.com/securityaler • CWE-94: Improper Control of Generation of Code ('Code Injection') •