Page 5 of 145 results (0.022 seconds)

CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0

An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument. Se ha descubierto un problema en libraries/common.inc.php en phpMyAdmin en versiones 4.0 anteriores a la 4.0.10.20, 4.4.x, 4.6.x y 4.7.0 "prereleases". • http://www.securityfocus.com/bid/97211 https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html https://www.phpmyadmin.net/security/PMASA-2017-8 •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php. phpMyAdmin 4.8.0 en versiones anteriores a la 4.8.0-1 tiene Cross-Site Request Forgery (CSRF), que permite que un atacante ejecute instrucciones SQL arbitrarias. Esto está relacionado con js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php y sql.php. phpMyAdmin versions 4.8.0 prior to 4.8.0-1 suffer from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/44496 http://www.securityfocus.com/bid/103936 http://www.securitytracker.com/id/1040752 https://www.phpmyadmin.net/security/PMASA-2018-2 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. Una vulnerabilidad Cross-Site Scripting (XSS) en db_central_columns.php en phpMyAdmin, en versiones anteriores a la 4.7.8, permite que atacantes remotos autenticados inyecten scripts web o HTLM arbitrarios mediante una URL manipulada. • http://www.securityfocus.com/bid/103099 https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3 https://udiniya.wordpress.com/2018/02/21/a-tale-of-stealing-session-cookie-in-phpmyadmin https://www.phpmyadmin.net/security/PMASA-2018-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 74%CPEs: 1EXPL: 3

phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. Las versiones 4.7.x (anteriores a 4.7.6.1/4.7.7) de phpMyAdmin son vulnerables a una debilidad Cross-Site Request Forgery (CSRF). Al engañar a un usuario para que haga clic en una URL manipulada, es posible realizar operaciones dañinas para la base de datos, como el borrado de registros, anulación/truncado de tablas, etc. phpMyAdmin version 4.7.x suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/45284 https://github.com/Villaquiranm/5MMISSI-CVE-2017-1000499 http://cyberworldmirror.com/vulnerability-phpmyadmin-lets-attacker-perform-drop-table-single-click http://www.securitytracker.com/id/1040163 https://www.phpmyadmin.net/security/PMASA-2017-9 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0

A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. Se detectó una debilidad en la que un atacante puede inyectar valores arbitrarios en las cookies del navegador. Esta es una reedición de una solución incompleta de PMASA-2016-18. • https://www.phpmyadmin.net/security/PMASA-2017-5 • CWE-20: Improper Input Validation •