SB2017013111 - Multiple vulnerabilities in phpMyAdmin
Published: January 31, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Open redirect (CVE-ID: CVE-2017-1000013)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness
2) Input validation error (CVE-ID: CVE-2017-1000014)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality
3) Cross-site scripting (CVE-ID: CVE-2017-1000015)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2016-6621)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
Remediation
Install update from vendor's website.
References
- http://www.securityfocus.com/bid/95720
- https://www.phpmyadmin.net/security/PMASA-2017-1
- http://www.securityfocus.com/bid/95721
- https://www.phpmyadmin.net/security/PMASA-2017-3
- http://www.securityfocus.com/bid/95726
- https://www.phpmyadmin.net/security/PMASA-2017-4
- http://www.securityfocus.com/bid/95914
- https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html
- https://www.phpmyadmin.net/security/PMASA-2016-44/