phpMyAdmin 4.0.x < / 4.1.x < / 4.2.x < 4.2.12 Multiple Vulnerabilities (PMASA-2014-13 through 16)

medium Nessus Network Monitor Plugin ID 8583


The remote web server contains a PHP application that is affected by numerous security vulnerabilities as a result of improper user input sanitation among other bugs.


phpMyAdmin is a free and open source tool written in PHP intended to handle the administration of MySQL with the use of a web browser. Versions of phpMyAdmin 4.0.x prior to, 4.1.x prior to and 4.2.x prior to 4.2.12 are potentially affected by multiple vulnerabilities :

- Prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input submitted to the table browse page, table print view and zoom search pages, and home page. (PMASA-2014-13)

- It is possible to include an arbitrary file through the GIS editor due to a lack of sanitizing user-supplied input using directory-traversal strings (../). (PMASA-2014-14)

- Prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input submitted to the error_report.lib.php script. (PMASA-2014-15)

- It is possible to obtain the line count of arbitrary files due to failure to sanitize user-supplied input submitted to the filename parameter of the error_report.lib.php script. (PMASA-2014-16)


Either upgrade to phpMyAdmin,, 4.2.12 or later, or apply the patches from the referenced links.

See Also

Plugin Details

Severity: Medium

ID: 8583

Family: CGI

Published: 11/24/2014

Updated: 3/6/2019

Nessus ID: 79588, 79599, 79653, 79654, 79777

Risk Information


Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*

Patch Publication Date: 11/20/2014

Vulnerability Publication Date: 11/19/2014

Reference Information

CVE: CVE-2014-8958, CVE-2014-8959, CVE-2014-8960, CVE-2014-8961

BID: 71247, 71245, 71244, 71243