CVE-2008-3197
https://notcve.org/view.php?id=CVE-2008-3197
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the db parameter in the "Creating a Database" functionality (db_create.php), and (2) the convcharset and collation_connection parameters related to an unspecified program that modifies the connection character set. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en phpMyAdmin anterior a versión 2.11.7.1, permite a atacantes remotos realizar acciones no autorizadas por medio de un enlace o etiqueta IMG para (1) el parámetro db en la funcionalidad "Creating a Database" (en archivo db_create.php), y los parámetros (2) convcharset y collation_connection relacionados a un programa no especificado que modifica el ajuste de caracteres de conexión. • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html http://secunia.com/advisories/31097 http://secunia.com/advisories/31115 http://secunia.com/advisories/33822 http://sourceforge.net/project/shownotes.php?release_id=613660 http://www.debian.org/security/2008/dsa-1641 http://www.mandriva.com/security/advisories?name=MDVSA-2008:202 http://www.openwall.com/lists/oss-security/2008/07/15/6 http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 http:/ • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-3032
https://notcve.org/view.php?id=CVE-2008-3032
Cross-site scripting (XSS) vulnerability in the phpMyAdmin (phpmyadmin) extension 3.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la extensión phpMyAdmin (phpmyadmin) 3.0.1 y versiones anteriores para TYPO3 permite a atacantes remotos inyectar web script o HTML de su elección a través de vectores no especificados. • http://secunia.com/advisories/30884 http://typo3.org/teams/security/security-bulletins/typo3-20080701-2 http://www.securityfocus.com/bid/30039 https://exchange.xforce.ibmcloud.com/vulnerabilities/43508 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-1924
https://notcve.org/view.php?id=CVE-2008-1924
Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable. Una vulnerabilidad no especificada en phpMyAdmin versiones anteriores a 2.11.5.2, cuando se ejecuta en hosts compartidos, permite a los usuarios autenticados remotos con permisos de tabla CREATE leer archivos arbitrarios por medio de una petición POST de HTTP diseñada, relacionada con el uso de una variable UploadDir indefinida. • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html http://secunia.com/advisories/29944 http://secunia.com/advisories/29964 http://secunia.com/advisories/30034 http://secunia.com/advisories/30816 http://secunia.com/advisories/32834 http://secunia.com/advisories/33822 http://security.gentoo.org/glsa/glsa-200805-02.xml http://www.debian.org/security/2008/dsa-1557 http://www.mandriva • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-1567
https://notcve.org/view.php?id=CVE-2008-1567
phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information. phpMyAdmin versiones anteriores a 2.11.5.1, almacena la clave secreta MySQL de (1) nombre de usuario (2) contraseña, y (3) Blowfish, en texto sin cifrar en un archivo de Sesión bajo /tmp, que permite a los usuarios locales obtener información confidencial. • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html http://secunia.com/advisories/29588 http://secunia.com/advisories/29613 http://secunia.com/advisories/29964 http://secunia.com/advisories/30816 http://secunia.com/advisories/32834 http://secunia.com/advisories/33822 http://sourceforge.net/tracker/index.php?func=detail&aid=1909711&group_id=23067&atid=377408 http://www.debian.org/security/2 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2008-1149
https://notcve.org/view.php?id=CVE-2008-1149
phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies. phpMyAdmin anterior a la v2.11.5, accesos a $_REQUEST para obtener algún parámetro en vez de usar $_GET y $_POST, puede permitir a atacantes remotos del mismo dominio sobrescribir variables, inyectar código SQL y realizar ataques de falsificación de petición en sitios cruzados (CSRF) usando cookies manipuladas. • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html http://secunia.com/advisories/29143 http://secunia.com/advisories/29200 http://secunia.com/advisories/29287 http://secunia.com/advisories/29964 http://secunia.com/advisories/30816 http://secunia.com/advisories/32834 http://secunia.com/advisories/33822 http://www.debian.org/security/2008/dsa-1557 http://www.gentoo.org/security/en/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-352: Cross-Site Request Forgery (CSRF) •