Page 21 of 148 results (0.015 seconds)

CVSS: 6.8EPSS: 0%CPEs: 13EXPL: 0

The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. La función checkHTTP en libraries/Config.class.php en phpMyAdmin 4.5.x en versiones anteriores a 4.5.5.1 no verifica certificados X.509 desde los servidores SSL de api.github.com, lo que permite a atacantes man-in-the-middle suplantar estos servidores y obtener información sensible a través de un certificado manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html https://github.com/phpmyadmin/phpmyadmin/commit/e42b7e3aedd29dd0f7a48575f20bfc5aca0ff976 https://www.phpmyadmin.net/security/PMASA-2016-13 • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 0%CPEs: 50EXPL: 0

libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. libraries/common.inc.php en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 no utiliza un algoritmo de tiempo constante para comparar tokens CSRF, lo que hace que sea más fácil para atacantes remotos eludir las restricciones destinadas al acceso mediante la medición de diferencias de tiempo. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49 • CWE-254: 7PK - Security Features •

CVSS: 5.4EPSS: 0%CPEs: 50EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) un nombre de tabla, (2) un valor SET, (3) una consulta de búsqueda o (4) un nombre de host en una cabecera Location. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-3.php https://github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbc https://github.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 45EXPL: 0

The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. La función suggestPassword en js/functions.js en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 se basa en la función Math.random JavaScript, lo que hace que sea más fácil para atacantes remotos adivinar las contraseñas a través de una aproximación por fuerza bruta. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-4.php https://github.com/phpmyadmin/phpmyadmin/commit/8dedcc1a175eb07debd4fe116407c43694c60b22 https://github.com • CWE-254: 7PK - Security Features CWE-255: Credentials Management Errors •

CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0

libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. libraries/sql-parser/autoload.php en analizador SQL en phpMyAdmin 4.5.x en versiones anteriores a 4.5.4 permite a atacantes remotos obtener información sensible a través de una petición manipulada, lo cual revela la ruta completa en un mensaje de error. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://www.phpmyadmin.net/home_page/security/PMASA-2016-8.php https://github.com/phpmyadmin/phpmyadmin/commit/c57d3cc7b97b5f32801032f7bb222297aa97dfea • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •