CVSS: 9.8EPSS: 97%CPEs: 13EXPL: 3CVE-2013-3238 – phpMyAdmin - 'preg_replace' (Authenticated) Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-3238
26 Apr 2013 — phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature. phpMyAdmin v3.5.x antes de v3.5.8 y v4.x antes de v4.0.0-RC3 permite a usuarios remotos autenticados ejecutar código arbitrario a través de una secuencia /e\x00, que no se utilizan con cuidado antes de hacer una llamada a la función preg_replace en el "Repla... • https://www.exploit-db.com/exploits/25136 •
CVSS: 9.8EPSS: 11%CPEs: 13EXPL: 2CVE-2013-3239 – phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-3239
26 Apr 2013 — phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. phpMyAdmin v3.5.x antes de v3.5.8 y v4.x antes de v4.0.0-RC3, cuando se configura un directorio SaveDir, permite a los usuarios remotos autenticados ejecutar código ... • https://www.exploit-db.com/exploits/25003 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 1%CPEs: 12EXPL: 3CVE-2013-1937 – phpMyAdmin - 'tbl_gis_visualization.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1937
16 Apr 2013 — Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable. ** EN DISPUTA ** Múltiples vulnerabilidades Cross-Site Scripting (XSS) en tbl_gis_visualization.php en phpMyAdmin, en versiones 3.5.x anteriores a la 3.5.8, permiten que atacantes re... • https://www.exploit-db.com/exploits/38440 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 30EXPL: 2CVE-2012-5469 – Portable phpMyAdmin <= 1.3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2012-5469
20 Dec 2012 — The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. El complemento phpMyAdmin Portable antes de v1.3.1 para WordPress permite a atacantes remotos evitar la autenticación y obtener acceso a la consola de phpMyAdmin a través de una solicitud directa al wp-content/plugins/portable-phpmyadmin/wp-pma-mod. The Portable phpMyAdmin plugin before 1.3.0... • https://www.exploit-db.com/exploits/23356 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2012-5339
https://notcve.org/view.php?id=CVE-2012-5339
25 Oct 2012 — Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en phpMyAdmin v3.5.x antes de v3.5.3, permiten a usuarios remotos autenticados, ejecutar secuencias de comandos web o HTML de su elección a través de un nombre manipulado en (1) un evento, (2) ... • http://lists.opensuse.org/opensuse-updates/2012-11/msg00033.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 5EXPL: 0CVE-2012-5368
https://notcve.org/view.php?id=CVE-2012-5368
25 Oct 2012 — phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code. phpMyAdmin v3.5.x antes de v3.5.3 utiliza código JavaScript que se obtiene a través de una sesión HTTP para phpmyadmin.net sin SSL, que permite a atacantes man-in-the-middle realizar ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) mediante la modificació... • http://lists.opensuse.org/opensuse-updates/2012-11/msg00033.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 86%CPEs: 1EXPL: 1CVE-2012-5159 – phpMyAdmin 3.5.2.2 - 'server_sync.php' Backdoor
https://notcve.org/view.php?id=CVE-2012-5159
25 Sep 2012 — phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack. phpMyAdmin v3.5.2.2, tal y como se distribuyó en el 'mirror' CDNetworks-kr-1 durante un período de tiempo indeterminado en el año 2012, contiene una modificación introducida externamente (Un troyano) en server_sync.php, lo que permit... • https://www.exploit-db.com/exploits/21834 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2012-4579
https://notcve.org/view.php?id=CVE-2012-4579
21 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via a Table Operations (1) TRUNCATE or (2) DROP link for a crafted table name, (3) the Add Trigger popup within a Triggers page that references crafted table names, (4) an invalid trigger-creation attempt for a crafted table name, (5) crafted data in a table, or (6) a crafted tooltip label name during GIS data visualization, a different issue than CVE... • http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4345
https://notcve.org/view.php?id=CVE-2012-4345
21 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the Database Structure page in phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en la página de (Database Structure) de datos en phpMyAdmin v3.4.x anterior a v3.4.11.1 y v3.5.x anterio... • http://www.mandriva.com/security/advisories?name=MDVSA-2012:136 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2012-4219
https://notcve.org/view.php?id=CVE-2012-4219
21 Aug 2012 — show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. show_config_errors.php en phpMyAdmin v3.5.x anterior a v3.5.2.1 permite a atacantes remotos obtener información sensible a través de una solicitud directa, la cual revela la ruta de instalación en un mensaje de error, relacionada con la no inclusión del ... • http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •