CVE-2006-1803 – phpMyAdmin 2.7 - 'sql.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1803
Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter. • https://www.exploit-db.com/exploits/27632 http://secunia.com/advisories/19659 http://secunia.com/advisories/19897 http://www.novell.com/linux/security/advisories/2006_04_28.html http://www.securityfocus.com/archive/1/430902/100/0/threaded http://www.securityfocus.com/archive/1/431013/100/0/threaded http://www.securityfocus.com/bid/17487 http://www.vupen.com/english/advisories/2006/1372 https://exchange.xforce.ibmcloud.com/vulnerabilities/25796 •
CVE-2006-1678
https://notcve.org/view.php?id=CVE-2006-1678
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.8.0.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors in unspecified scripts in the themes directory. • http://secunia.com/advisories/19556 http://secunia.com/advisories/19897 http://secunia.com/advisories/22781 http://www.debian.org/security/2006/dsa-1207 http://www.novell.com/linux/security/advisories/2006_04_28.html http://www.osvdb.org/24450 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1 http://www.securityfocus.com/bid/17390 http://www.vupen.com/english/advisories/2006/1263 https://exchange.xforce.ibmcloud.com/vulnerabilities/25689 •
CVE-2006-1258 – phpMyAdmin 2.8.1 - Set_Theme Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1258
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter. • https://www.exploit-db.com/exploits/27435 http://secunia.com/advisories/19277 http://securitytracker.com/id?1015776 http://www.osvdb.org/23943 http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 http://www.securityfocus.com/bid/17142 http://www.vupen.com/english/advisories/2006/0991 https://exchange.xforce.ibmcloud.com/vulnerabilities/25305 •
CVE-2005-4450
https://notcve.org/view.php?id=CVE-2005-4450
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag to server_privileges.php, as demonstrated using the dbname and checkprivs parameters. NOTE: the provenance of this issue is unknown, although third parties imply that it is related to the disclosure of CVE-2005-4349, which was labeled as SQL injection but disputed. • http://secunia.com/advisories/18113 •
CVE-2005-4349
https://notcve.org/view.php?id=CVE-2005-4349
SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450 ** DISPUTADA ** Vulnerabilidad de inyección de SQL en server_privileges.php en phpMyAdmin 2.7.0 permite a atacantes remotos ejecutar órdenes SQL de su elección mediante los parámetros (1)dbname y (2) checkprivs. NOTA: el fabricante y una tercera parte disputan esta cuestión, diciendo que la tarea principal del programa es soportar la ejecución de consultas por usuarios autenticados, y no existe ningún escenario de ataque externo sin una configuración con inicio automático de sesión. Por lo tanto, es probable que esta cuestión sea rechazada. • http://marc.info/?l=bugtraq&m=113486637512821&w=2 http://secunia.com/advisories/18113 http://securityreason.com/securityalert/270 http://www.securityfocus.com/archive/1/419829/100/0/threaded http://www.securityfocus.com/archive/1/419832/100/0/threaded http://www.vupen.com/english/advisories/2005/2995 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •