phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.

The version of phpMyAdmin installed on the remote host is affected by a Cross-Site Request Forgery (XSRF/CSRF) vulnerability leading to injection of harmful SQL queries. vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201904-16 (phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in phpMyAdmin. Please       review the CVE identifiers referenced below for details.
  Impact :

    Please review the CVE identifiers referenced below for details.
  Workaround :

    There is no known workaround at this time.

This update for phpMyAdmin fixes security issues and bugs.

Security issues addressed in the 4.8.4 release (bsc#1119245) :

  - CVE-2018-19968: Local file inclusion through     transformation feature

  - CVE-2018-19969: XSRF/CSRF vulnerability

  - CVE-2018-19970: XSS vulnerability in navigation tree

This update also contains the following upstream bug fixes and improvements :

  - Ensure that database names with a dot ('.') are handled     properly when DisableIS is true

  - Fix for message 'Error while copying database     (pma__column_info)'

  - Move operation causes 'SELECT * FROM `undefined`' error

  - When logging with $cfg['AuthLog'] to syslog, successful     login messages were not logged when     $cfg['AuthLogSuccess'] was true

  - Multiple errors and regressions with Designer

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.7.x prior or equal to 4.7.6 or 4.8.x prior to 4.8.4. It is, therefore, affected by multiple cross-site request forgery (XSRF) vulnerabilities. A remote attacker can exploit this by tricking a user into visiting a specially crafted web page, allowing the attacker to disclose sensitive information, impersonate the user's identity, or inject malicious content into the victim's web browser. (CVE-2018-19969) 

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
113292	phpMyAdmin 4.7.x < 4.8.4 Cross-Site Request Forgery	Web App Scanning	Component Vulnerability	high
124072	GLSA-201904-16 : phpMyAdmin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
123153	openSUSE Security Update : phpMyAdmin (openSUSE-2019-1009)	Nessus	SuSE Local Security Checks	high
119707	openSUSE Security Update : phpMyAdmin (openSUSE-2018-1547)	Nessus	SuSE Local Security Checks	high
119600	phpMyAdmin 4.7.x <= 4.7.6 / 4.8.x < 4.8.4 Multiple XSRF/CSRF Vulnerabilities (PMASA-2018-7)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2018-19969

high

Tenable Plugins

high

high

high

high

high