Fedora 40 update for phpMyAdmin



| Updated: 2025-05-20
Risk High
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2023-30536
CVE-2024-2961
CVE-2023-44270
CVE-2024-55565
CVE-2024-56522
CVE-2024-56519
CVE-2024-56521
CVE-2024-56527
CWE-ID CWE-20
CWE-119
CWE-835
CWE-697
CWE-79
CWE-295
Exploitation vector Network
Public exploit Vulnerability #2 is being exploited in the wild.
Vulnerable software
 Fedora
Operating systems & Components / Operating system

phpMyAdmin
Operating systems & Components / Operating system package or component

Vendor Fedoraproject

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU108058

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-30536

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to alter application's behavior.

The vulnerability exists due to insufficient validation of HTTP headers with newline characters. A remote attacker with ability to control the header names that are passed to Slilm-Psr7 can craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU88822

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-2961

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the iconv() function when converting string to the ISO-2022-CN-EXT character set. A remote attacker can pass specially crafted input to the application, trigger a 4 byte buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

3) Input validation error

EUVDB-ID: #VU81307

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-44270

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of external CSS files when parsing the "\r" character. A remote attacker can pass specially crafted input to the application and perform spoofing attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Infinite loop

EUVDB-ID: #VU102463

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-55565

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote user can consume all available system resources and cause denial of service conditions.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Incorrect comparison

EUVDB-ID: #VU102263

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56522

CWE-ID: CWE-697 - Incorrect Comparison

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to incorrect comparison in unserializeTCPDFtag when processing TCPDF tag hashes. A remote attacker can bypass certain security restrictions. 

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU102267

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56519

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of SVG font-family attribute in setSVGStyles when handling . A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper certificate validation

EUVDB-ID: #VU102264

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56521

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper certificate validation when using CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER. A remote attacker can perform MitM attack and pass spoofed content into PDF file.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

EUVDB-ID: #VU102258

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56527

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when displaying error messages. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 40

phpMyAdmin: before 5.2.2-1.fc40

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c17ef0f176


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###