CVE-2023-25727
https://notcve.org/view.php?id=CVE-2023-25727
In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface. • https://www.phpmyadmin.net/security/PMASA-2023-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-0813 – PhpMyAdmin exposure of sensitive information
https://notcve.org/view.php?id=CVE-2022-0813
PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section. PhpMyAdmin versiones 5.1.1 y anteriores, permiten a un atacante recuperar información potencialmente confidencial creando peticiones no válidas. Esto afecta al parámetro lang, al parámetro pma_ y a la cookie section • https://security.gentoo.org/glsa/202311-17 https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-exposure-sensitive-information https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-released • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-23807
https://notcve.org/view.php?id=CVE-2022-23807
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances. Se ha detectado un problema en phpMyAdmin versiones 4.9 anteriores a 4.9.8 y 5.1 anteriores a 5.1.2. Un usuario válido que ya está autenticado en phpMyAdmin puede manipular su cuenta para omitir la autenticación de dos factores en futuras instancias de inicio de sesión • https://security.gentoo.org/glsa/202311-17 https://www.phpmyadmin.net/security/PMASA-2022-1 • CWE-287: Improper Authentication •
CVE-2020-22278
https://notcve.org/view.php?id=CVE-2020-22278
phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents. ** EN DISPUTA ** phpMyAdmin versiones hasta 5.0.2, permite una inyección CSV por medio de una Export SectionNOTA: el vendedor lo discute porque "el archivo CSV se genera con precisión en base al contenido de la base de datos" • https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22278.pdf https://mega.nz/file/ySQnlQSR#vXzY46mgf0CE2ysYpWpbE4O6T_g37--rtaL8pqdHcQs • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2020-26934
https://notcve.org/view.php?id=CVE-2020-26934
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. phpMyAdmin versiones anteriores a 4.9.6 y versiones 5.x anteriores a 5.0.3, permite un ataque de tipo XSS por medio de la funcionalidad de transformación mediante un enlace diseñado • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO https://lists.fedoraproject.org/archives/list/package-announce%40lists • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •