CVE-2012-5469 – Portable phpMyAdmin <= 1.3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2012-5469
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. El complemento phpMyAdmin Portable antes de v1.3.1 para WordPress permite a atacantes remotos evitar la autenticación y obtener acceso a la consola de phpMyAdmin a través de una solicitud directa al wp-content/plugins/portable-phpmyadmin/wp-pma-mod. The Portable phpMyAdmin plugin before 1.3.0 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. WordPress portable-phpMyAdmin plugin version 1.3.0 fails to validate the existing session allowing a user to navigate directly to the interface. • https://www.exploit-db.com/exploits/23356 http://archives.neohapsis.com/archives/bugtraq/2012-12/0092.html http://wordpress.org/extend/plugins/portable-phpmyadmin/changelog • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •
CVE-2011-2642
https://notcve.org/view.php?id=CVE-2011-2642
Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la vista de implementación en la tabla Print en tbl_printview.php en phpMyAdmin anterior a v3.3.10.3 y v3.4.x anterior a v3.4.3.2 permite a usuarios autenticados de forma remota inyectar código script web de su elección o HTML a través de un nombre de tabla manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=4bd27166c314faa37cada91533b86377f4d4d214 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=a0823be05aa5835f207c0838b9cca67d2d9a050a http://secunia.com/advisories/45315 http://secunia.com/advisories/45365 http://secunia.com/advisories/45515 http • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-0986
https://notcve.org/view.php?id=CVE-2011-0986
phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. PhpMyAdmin v2.11.x antes de v2.11.11.2, y v3.3.x antes de v3.3.9.1, no controla correctamente la ausencia de los ficheros (1) README, (2) Changelog , y (3) Los archivos de licencia, que permite a atacantes remotos obtener la ruta de instalación a través de una petición directa de un archivo inexistente. • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054355.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=035d002db1e1201e73e560d7d98591563b506a83 http://secunia.com/advisories/43478 http://www.mandriva.com/security/advisories?name=MDVSA-2011:026 http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php http://www.vupen.com/english/advisories/2011/0385 https:& • CWE-20: Improper Input Validation •
CVE-2011-0987
https://notcve.org/view.php?id=CVE-2011-0987
The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark. La función PMA_Bookmark_get en libraries/bookmark.lib.php de phpMyAdmin v2.11.x y anteriores a v2.11.11.3, y v3.3.x anteriores a v3.3.9.2,no restringe adecuadamente las consultas de bookmark, lo que hace más fácil para los usuarios remotos autenticados activar la ejecución de una consulta SQL de otro usuario mediante la creación de un marcador. • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054355.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054525.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0 http://secunia.com/advisories/43324 http://secunia.com/advisories/43391 http://secunia.com/advisories/43478 http://www.debian.org/security/2011 • CWE-20: Improper Input Validation •
CVE-2010-4481
https://notcve.org/view.php?id=CVE-2010-4481
phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. phpMyAdmin anteriores a v3.4.0-beta1, permite a atacantes remotos evitar la autenticación y obtener información sensible a través de una solicitud directa al phpinfo.php, que llama a la función phpinfo. • http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commitdiff%3Bh=4d9fd005671b05c4d74615d5939ed45e4d019e4c http://secunia.com/advisories/42485 http://secunia.com/advisories/42725 http://www.debian.org/security/2010/dsa-2139 http://www.mandriva.com/security/advisories?name=MDVSA-2011:000 http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php http://www.vupen.com/english/advisories/2010/3238 http://www.vupen.com/english/advisories/2011/0001 http://www.vupen • CWE-287: Improper Authentication •