CVE-2006-5116
https://notcve.org/view.php?id=CVE-2006-5116
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php. NOTE: the PHP unset function vector is covered by CVE-2006-3017. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en phpMyAdmin anteror a 2.9.1-rc1 rem realizar acciones no autorizadas como otro usuario (1) estableciendo directamente un testigo en el URL mediante evaluación dinámica de variable y (2) cambiar variables de su elección mediante el array _REQUEST, relacionado con (a) libraries/common.lib.php, (b) session.inc.php, y (3) url_generating.lib.php. NOTA: el vector de la función unset de PHP se trata en CVE-2006-3017. • http://attrition.org/pipermail/vim/2006-October/001067.html http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download http://secunia.com/advisories/22126 http://secunia.com/advisories/22781 http://secunia.com/advisories/23086 http://securityreason.com/securityalert/1677 http://www.debian.org/security/2006/dsa-1207 http://www.hardened-php.net/advisory_072006.130.html http://www.phpmyadmi •
CVE-2006-5117
https://notcve.org/view.php?id=CVE-2006-5117
phpMyAdmin before 2.9.1-rc1 has a libraries directory under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via direct requests for certain files. phpMyAdmin anterior a 2.9.1-rc1 tiene un directorio de librerias bajo la raíz de la documentación web con controles de acceso insuficientes, lo caul permiet a un atacante remoto obtener información sensible a través de repuesta directar para cierto archivos. • http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download http://secunia.com/advisories/22126 http://secunia.com/advisories/23086 http://www.securityfocus.com/bid/20253 •
CVE-2006-3388
https://notcve.org/view.php?id=CVE-2006-3388
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en phpMyAdmin en versiones anteriores a 2.8.2, que permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través del parámetro table. • http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html http://secunia.com/advisories/20907 http://secunia.com/advisories/23086 http://securitynews.ir/advisories/phpmyadmin281.txt http://securityreason.com/securityalert/1194 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-4 http://www.securityfocus.com/archive/1/438870/100/0/threaded http://www.securityfocus.com/bid/18754 http://www.vupen.com/english/advisories/2006/2622 https://exchange.xforce.ibm •
CVE-2006-2418
https://notcve.org/view.php?id=CVE-2006-2418
Cross-site scripting (XSS) vulnerabilities in certain versions of phpMyAdmin before 2.8.0.4 allow remote attackers to inject arbitrary web script or HTML via the db parameter in unknown scripts. • http://lists.suse.com/archive/suse-security-announce/2006-Jun/0003.html http://secunia.com/advisories/20113 http://secunia.com/advisories/20627 http://secunia.com/advisories/22781 http://www.debian.org/security/2006/dsa-1207 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-2 http://www.securityfocus.com/bid/17973 http://www.vupen.com/english/advisories/2006/1794 https://exchange.xforce.ibmcloud.com/vulnerabilities/26441 •
CVE-2006-2417
https://notcve.org/view.php?id=CVE-2006-2417
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before 2.8.0.4 allows remote attackers to inject arbitrary web script or HTML via the theme parameter in unknown scripts. NOTE: the lang parameter is already covered by CVE-2006-2031. • http://lists.suse.com/archive/suse-security-announce/2006-Jun/0003.html http://secunia.com/advisories/20113 http://secunia.com/advisories/20627 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-2 http://www.securityfocus.com/bid/17973 http://www.vupen.com/english/advisories/2006/1794 https://exchange.xforce.ibmcloud.com/vulnerabilities/26444 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •