CVSS: 6.5EPSS: 4%CPEs: 69EXPL: 0CVE-2011-0987
https://notcve.org/view.php?id=CVE-2011-0987
The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark. La función PMA_Bookmark_get en libraries/bookmark.lib.php de phpMyAdmin v2.11.x y anteriores a v2.11.11.3, y v3.3.x anteriores a v3.3.9.2,no restringe adecuadamente las consultas de bookmark, lo que hace más fácil para los usuarios remotos autenticados activar la ejecución de una consulta SQL de otro usuario mediante la creación de un marcador. • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054355.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054525.html http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0 http://secunia.com/advisories/43324 http://secunia.com/advisories/43391 http://secunia.com/advisories/43478 http://www.debian.org/security/2011 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 65EXPL: 0CVE-2010-4481
https://notcve.org/view.php?id=CVE-2010-4481
phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. phpMyAdmin anteriores a v3.4.0-beta1, permite a atacantes remotos evitar la autenticación y obtener información sensible a través de una solicitud directa al phpinfo.php, que llama a la función phpinfo. • http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commitdiff%3Bh=4d9fd005671b05c4d74615d5939ed45e4d019e4c http://secunia.com/advisories/42485 http://secunia.com/advisories/42725 http://www.debian.org/security/2010/dsa-2139 http://www.mandriva.com/security/advisories?name=MDVSA-2011:000 http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php http://www.vupen.com/english/advisories/2010/3238 http://www.vupen.com/english/advisories/2011/0001 http://www.vupen&# • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 2CVE-2010-4480 – phpMyAdmin - Client-Side Code Injection / Redirect Link Falsification
https://notcve.org/view.php?id=CVE-2010-4480
error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]". El archivo error.php en PhpMyAdmin versión 3.3.8.1, y otras versiones anteriores a 3.4.0-beta1, permite a los atacantes remotos conducir ataques de tipo cross-site scripting (XSS), por medio de una etiqueta BBcode creada que contiene caracteres "@", como es demostrado usando "[a@url@page] ". • https://www.exploit-db.com/exploits/15699 http://secunia.com/advisories/42485 http://secunia.com/advisories/42725 http://www.debian.org/security/2010/dsa-2139 http://www.exploit-db.com/exploits/15699 http://www.mandriva.com/security/advisories?name=MDVSA-2011:000 http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php http://www.securityfocus.com/bid/45633 http://www.vupen.com/english/advisories/2010/3133 http://www.vupen.com/english/advisories/2011/0001 http: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •