Detections
Analytics

CVE-2011-2506

critical

Description

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

References

http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt

http://www.securityfocus.com/archive/1/518804/100/0/threaded

http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php

http://www.osvdb.org/73612

http://www.openwall.com/lists/oss-security/2011/06/29/11

http://www.openwall.com/lists/oss-security/2011/06/28/8

http://www.openwall.com/lists/oss-security/2011/06/28/6

http://www.openwall.com/lists/oss-security/2011/06/28/2

http://www.mandriva.com/security/advisories?name=MDVSA-2011:124

http://www.debian.org/security/2011/dsa-2286

http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/

http://securityreason.com/securityalert/8306

http://secunia.com/advisories/45315

http://secunia.com/advisories/45292

http://secunia.com/advisories/45139

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=0fbedaf5fd7a771d0885c6b7385d934fc90d0d7f

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html

Details

Source: Mitre, NVD

Published: 2011-07-14

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical