icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

phpMyAdmin 3.5.x < 3.5.8.2 / 4.0.x < 4.0.4.2 Multiple Vulnerabilities

Medium

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 3.5.x earlier than 3.5.8.2 or 4.0.x earlier than 4.0.4.2 are affected by the following multiple vulnerabilities:

- Numerous input-validation errors exist that could lead to cross-site scripting attacks related to 'version.json', text to link transformations, schema export, SQL queries, setup, chart display, process list, and the logo link. Note that the link transformation issue, PMASA-2013-13 (CVE-2013-5001), only affects the 4.0.x branch. (CVE-2013-4995, CVE-2013-4996, CVE-2013-4997, CVE-2013-5001, CVE-2013-5002)

- Errors exist that could allow full installation path disclosure via error messages. This information could be used in further attacks. (CVE-2013-4998, CVE-2013-4999, CVE-2013-5000)

- Errors in the files 'schema_export.php' and 'pmd_pdf.php' could allow SQL injection attacks.(CVE-2013-5003)

Solution

Either upgrade to phpMyAdmin 3.5.8.2, 4.0.4.2 or later, or apply the patches from the referenced links.