CVE-2019-12616
phpMyAdmin 4.8 - Cross-Site Request Forgery
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
Un problema fue descubierto en phpMyAdmin antes del 4.9.0. Fue descubierta una vulnerabilidad que permite a un atacante desencadenar un ataque CSRF contra un usuario de phpMyAdmin. El atacante puede engañar al usuario, por ejemplo, a través de una etiqueta rota que apunta a la base de datos phpMyAdmin de la víctima, y el atacante puede entregar una carga útil (como una declaración INSERT o DELETE) a la víctima.
It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive files. It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this for an XSS attack. It was discovered that phpMyAdmin mishandled certain input. An attacker could use this vulnerability to execute a cross-site scripting attack via a crafted URL. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-06-03 CVE Reserved
- 2019-06-05 CVE Published
- 2019-06-11 First Exploit
- 2024-08-04 CVE Updated
- 2025-06-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html | X_refsource_misc |
|
| http://www.securityfocus.com/bid/108619 | Vdb Entry | |
| https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/153251 | 2019-06-11 | |
| https://www.exploit-db.com/exploits/46982 | 2019-06-11 | |
| https://github.com/Cappricio-Securities/CVE-2019-12616 | 2024-06-21 |
| URL | Date | SRC |
|---|---|---|
| https://www.phpmyadmin.net/security/PMASA-2019-4 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Phpmyadmin Search vendor "Phpmyadmin" | Phpmyadmin Search vendor "Phpmyadmin" for product "Phpmyadmin" | < 4.9.0 Search vendor "Phpmyadmin" for product "Phpmyadmin" and version " < 4.9.0" | - |
Affected
| ||||||