Vulnerability CVE-2019-12616


Published: 2019-06-05

Description:
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

See advisories in our WLB2 database:
Topic
Author
Date
Low
phpMyAdmin 4.8 Cross Site Request Forgery
Riemann
13.06.2019

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Phpmyadmin
Product: Phpmyadmin 
Version:
4.8.3
4.8.2
4.8.1
4.8.0.1
4.8.0
4.7.9
4.7.8
4.7.7
4.7.6
4.7.5
4.7.4
4.7.3
4.7.2
4.7.1
4.7.0
4.6.6
4.6.5.2
4.6.5.1
4.6.5
4.6.4
4.6.3
4.6.2
4.6.1
4.6.0
4.5.5.1
4.5.5
4.5.4.1
4.5.4
4.5.3.1
4.5.3
4.5.2
4.5.1
4.5.0.2
4.5.0.1
4.5.0
4.4.9
4.4.8
4.4.7
4.4.6.1
4.4.6
4.4.5
4.4.4
4.4.3
4.4.2
4.4.15.9
4.4.15.8
4.4.15.7
4.4.15.6
4.4.15.5
4.4.15.4
4.4.15.3
4.4.15.2
4.4.15.10
4.4.15.1
4.4.15
4.4.14.1
4.4.14
4.4.13.1
4.4.13
4.4.12
4.4.11
4.4.10
4.4.1.1
4.4.1
4.4.0
4.3.9
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.13.3
4.3.13.2
4.3.13.1
4.3.13
4.3.12
4.3.11.1
4.3.11
4.3.10
4.3.1
4.3.0
4.2.9.1
4.2.9
4.2.8.1
4.2.8
4.2.7.1
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.13.3
4.2.13.2
4.2.13.1
4.2.13
4.2.12
4.2.11
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://packetstormsecurity.com/files/153251/phpMyAdmin-4.8-Cross-Site-Request-Forgery.html
http://www.securityfocus.com/bid/108619
https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/II4HC4QO6WUL2IRSQKCB66UBJOLLI5OV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKJMYVXEDXGEGRO42T6H6VOEZJ65QPQ7/
https://www.phpmyadmin.net/security/
https://www.phpmyadmin.net/security/PMASA-2019-4/

Related CVE
CVE-2019-11768
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
CVE-2019-6799
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is r...
CVE-2019-6798
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
CVE-2018-19970
In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.
CVE-2018-19969
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, ...
CVE-2018-19968
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created...
CVE-2018-15605
An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature.
CVE-2018-12613
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and...

Copyright 2019, cxsecurity.com

 

Back to Top