CVE-2011-4107
phpMyAdmin 3.3.x/3.4.x - Local File Inclusion via XML External Entity Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
6Exploited in Wild
-Decision
Descriptions
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
La función simplexml_load_string en la importación XML plug-in (libraries/import/xml.php) en phpMyAdmin v3.4.x anterior a v3.4.7.1, v3.3.x y v3.3.10.5 permite a usuarios remotos autenticados leer ficheros arbitrarios a través de datos XML que contiene entidad de referencia externa, también conocido como un XML entidad externa (XXE) ataque de inyección.
phpMyAdmin versions 3.3.x and 3.4.x suffer from a local file inclusion vulnerability via XXE injection. The attacker must be logged in to MySQL via phpMyAdmin.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-10-18 CVE Reserved
- 2011-11-17 CVE Published
- 2012-01-14 First Exploit
- 2024-07-07 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (19)
URL | Tag | Source |
---|---|---|
http://osvdb.org/76798 | Broken Link | |
http://securityreason.com/securityalert/8533 | Broken Link | |
http://www.openwall.com/lists/oss-security/2011/11/03/3 | Mailing List | |
http://www.openwall.com/lists/oss-security/2011/11/03/5 | Mailing List | |
http://www.securityfocus.com/bid/50497 | Broken Link | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/71108 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/18371 | 2012-01-14 | |
https://github.com/SECFORCE/CVE-2011-4107 | 2017-04-19 | |
http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt | 2024-08-07 | |
http://seclists.org/fulldisclosure/2011/Nov/21 | 2024-08-07 | |
http://www.wooyun.org/bugs/wooyun-2010-03185 | 2024-08-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=751112 | 2024-08-07 |
URL | Date | SRC |
---|---|---|
http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php | 2024-02-09 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | >= 3.3.0.0 < 3.3.10.5 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version " >= 3.3.0.0 < 3.3.10.5" | - |
Affected
| ||||||
Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | >= 3.4.0.0 < 3.4.7.1 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version " >= 3.4.0.0 < 3.4.7.1" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 14 Search vendor "Fedoraproject" for product "Fedora" and version "14" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 15 Search vendor "Fedoraproject" for product "Fedora" and version "15" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 16 Search vendor "Fedoraproject" for product "Fedora" and version "16" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0" | - |
Affected
|