Vulnerability CVE-2019-12616


Published: 2019-06-05

Description:
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

See advisories in our WLB2 database:
Topic
Author
Date
Low
phpMyAdmin 4.8 Cross Site Request Forgery
Riemann
13.06.2019

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Phpmyadmin
Product: Phpmyadmin 
Version:
4.8.3
4.8.2
4.8.1
4.8.0.1
4.8.0
4.7.9
4.7.8
4.7.7
4.7.6
4.7.5
4.7.4
4.7.3
4.7.2
4.7.1
4.7.0
4.6.6
4.6.5.2
4.6.5.1
4.6.5
4.6.4
4.6.3
4.6.2
4.6.1
4.6.0
4.5.5.1
4.5.5
4.5.4.1
4.5.4
4.5.3.1
4.5.3
4.5.2
4.5.1
4.5.0.2
4.5.0.1
4.5.0
4.4.9
4.4.8
4.4.7
4.4.6.1
4.4.6
4.4.5
4.4.4
4.4.3
4.4.2
4.4.15.9
4.4.15.8
4.4.15.7
4.4.15.6
4.4.15.5
4.4.15.4
4.4.15.3
4.4.15.2
4.4.15.10
4.4.15.1
4.4.15
4.4.14.1
4.4.14
4.4.13.1
4.4.13
4.4.12
4.4.11
4.4.10
4.4.1.1
4.4.1
4.4.0
4.3.9
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.13.3
4.3.13.2
4.3.13.1
4.3.13
4.3.12
4.3.11.1
4.3.11
4.3.10
4.3.1
4.3.0
4.2.9.1
4.2.9
4.2.8.1
4.2.8
4.2.7.1
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.13.3
4.2.13.2
4.2.13.1
4.2.13
4.2.12
4.2.11
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
http://www.securityfocus.com/bid/108619
https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/II4HC4QO6WUL2IRSQKCB66UBJOLLI5OV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKJMYVXEDXGEGRO42T6H6VOEZJ65QPQ7/
https://www.phpmyadmin.net/security/
https://www.phpmyadmin.net/security/PMASA-2019-4/

Related CVE
CVE-2019-18622
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
CVE-2019-12922
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.
CVE-2019-11768
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
CVE-2019-6799
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is r...
CVE-2019-6798
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
CVE-2018-19970
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.
CVE-2018-19969
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, ...
CVE-2018-19968
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created...

Copyright 2019, cxsecurity.com

 

Back to Top