Detections
Analytics
phpMyAdmin 3.3.x < 3.3.10.3 / 3.4.x < 3.4.3.2 Multiple Vulnerabilities
medium Nessus Network Monitor Plugin ID 5995
Synopsis
The remote web server contains a PHP application that is vulnerable to multiple attack vectors.Description
Versions of phpMyAdmin 3.3.x earlier than 3.3.10.3 and 3.4.x earlier than 3.4.3.2 are potentially affected by multiple vulnerabilities :- A cross-site scripting vulnerability exists in the table Print view. (PMASA-2011-9)
- A local file inclusion vulnerability can be exploited via a specially crafted MIME-type transformation parameter. (PMASA-2011-10)
- In the 'relational schema' code a parameter is not sanitized before being used to concatenate a class name which could lead to a local file inclusion or code execution. (PMASA-2011-11)
- It is possible to manipulate the PHP superglobals (including SESSION) using some of the Swekey authentication code. (PMASA-2011-12)
Solution
Upgrade to phpMyAdmin 3.3.10.3, 3.4.3.2, or later.See Also
http://www.phpmyadmin.net/home_page/security/PMASA-2011-9
http://www.phpmyadmin.net/home_page/security/PMASA-2011-10
http://www.phpmyadmin.net/home_page/security/PMASA-2011-11
http://www.phpmyadmin.net/home_page/security/PMASA-2011-12
http://www.xxor.se/advisories/phpMyAdmin_3.x_Conditional_Session_Manipulation.txt
Plugin Details
Severity: Medium
ID: 5995
Family: CGI
Published: 7/28/2011
Updated: 3/6/2019
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.4
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 6.3
Temporal Score: 5.9
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:phpmyadmin:phpmyadmin
Patch Publication Date: 7/23/2011
Vulnerability Publication Date: 7/23/2011
Reference Information
CVE: CVE-2011-2642, CVE-2011-2643
BID: 48874