CVSS: 7.5EPSS: 0%CPEs: 50EXPL: 0CVE-2016-2041
https://notcve.org/view.php?id=CVE-2016-2041
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. libraries/common.inc.php en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 no utiliza un algoritmo de tiempo constante para comparar tokens CSRF, lo que hace que sea más fácil para atacantes remotos eludir las restricciones destinadas al acceso mediante la medición de diferencias de tiempo. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49 • CWE-254: 7PK - Security Features •
CVSS: 5.3EPSS: 0%CPEs: 50EXPL: 0CVE-2015-8669
https://notcve.org/view.php?id=CVE-2015-8669
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. libraries/config/messages.inc.php en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.12, 4.4.x en versiones anteriores a 4.4.15.2 y 4.5.x en versiones anteriores a 4.5.3.1 permite a atacantes remotos obtener información sensible a través de una petición manipulada, lo que revela la ruta completa en un mensaje de error. • http://lists.opensuse.org/opensuse-updates/2016-01/msg00014.html http://www.securitytracker.com/id/1034806 https://github.com/phpmyadmin/phpmyadmin/commit/c4d649325b25139d7c097e56e2e46cc7187fae45 https://www.phpmyadmin.net/security/PMASA-2015-6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 23EXPL: 0CVE-2015-7873
https://notcve.org/view.php?id=CVE-2015-7873
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. La funcionalidad de redireccionado en url.php en phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.1 y 4.5.x en versiones anteriores a 4.5.1 permite a atacantes remotos suplantar contenido a través de un parámetro url. • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171311.html http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171326.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169987.html http://www.debian.org/security/2015/dsa-3382 http://www.securityfocus.com/bid/77299 http://www.securitytracker.com/id/1034013 https://github.com/phpmyadmin/phpmyadmin/commit/cd097656758f981f80fb9029c7d6b4294582b706 https://www.phpmyadmin.net/security/PMASA-2015-5 • CWE-254: 7PK - Security Features •
CVSS: 5.0EPSS: 0%CPEs: 31EXPL: 0CVE-2015-6830
https://notcve.org/view.php?id=CVE-2015-6830
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. Vulnerabilidad en libraries/plugins/auth/AuthenticationCookie.class.php en phpMyAdmin 4.3.x en versiones anteriores a 4.3.13.2 y 4.4.x en versiones anteriores a 4.4.14.1, permite a atacantes remotos eludir un mecanismo de protección reCaptcha múltiple contra suposiciones de credenciales por la fuerza aportando una respuesta correcta a un único reCaptcha. • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166294.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166307.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166531.html http://www.debian.org/security/2015/dsa-3382 http://www.securityfocus.com/bid/76674 http://www.securitytracker.com/id/1033546 https://github.com/phpmyadmin/phpmyadmin/commit/785f4e2711848eb8945894199d5870253a88584e https://www.phpmyadmin.net/security/PMASA-2015-4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 56EXPL: 0CVE-2015-3902
https://notcve.org/view.php?id=CVE-2015-3902
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. Múltiples vulnerabilidades de CSRF en el proceso de montaje en phpMyAdmin 4.0.x anterior a 4.0.10.10, 4.2.x anterior a 4.2.13.3, 4.3.x anterior a 4.3.13.1, y 4.4.x anterior a 4.4.6.1 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que modifican el fichero de configuración. • http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html http://www.debian.org/security/2015/dsa-3382 http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php http://www.securityfocus.com/bid/74657 http://www.securitytracker.com/id/1032404 https://github.com/phpmyadmin/phpmyadmin/commit/ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83 • CWE-352: Cross-Site Request Forgery (CSRF) •