CSRF in phpMyAdmin

Published: 2017-12-21 14:01:56 | Updated: 2018-01-02 11:59:26
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 3.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE ID N/A
CWE ID CWE-352
Exploitation vector Network
Public exploit Not available
Vulnerable software phpMyAdmin
Vulnerable software versions phpMyAdmin 4.7.6
phpMyAdmin 4.7.5
phpMyAdmin 4.7.4
Show more
Vendor URL phpMyAdmin
Advisory type Public

Security Advisory

1) Cross-site request forgery

Description

The vulnerability allows a remote attacker to perform CSRF attack.

The vulnerability exists due to absent validation of the request origin when performing certain database operations, such as deleting records or altering/truncating data in tables. A remote attacker can create a specially crafted web page, trick the victim into opening it and perform CSRF attack.

Remediation

Update to version 4.7.7.

External links

https://www.phpmyadmin.net/security/PMASA-2017-9/

Back to List