Detections
Analytics
phpMyAdmin 4.0.x < 4.0.10.10 / 4.2.x < 4.2.13.3 / 4.3.x < 4.3.13.1 / 4.4.x < 4.4.6.1 Multiple Vulnerabilities (PMASA-2015-2, PMASA-2015-3)
medium Nessus Network Monitor Plugin ID 9104
Synopsis
The remote web server contains a PHP application that is affected by multiple vulnerabilities.Description
Versions of phpMyAdmin 4.0.x prior to 4.0.10.10, 4.2.x prior to 4.2.13.3, 4.3.x prior to 4.3.13.1, or 4.4.x prior to 4.4.6.1 are unpatched for the following vulnerabilities :- An attacker could trick a user with a crafted URL during installation to alter the configuration file being generated. (CVE-2015-3902)
- A flaw exists in 'libraries/Config.class.php' due to an error in an API call to GitHub that allows a man-in-the-middle attacker to perform unauthorized actions. (CVE-2015-3903)
Solution
Upgrade to phpMyAdmin 4.0.10.10 / 4.2.13.3 / 4.3.13.1 / 4.4.6.1 or later, or apply the patches referenced in the vendor advisory.See Also
http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php
http://www.nessus.org/u?e995f404
http://www.nessus.org/u?9c7f08b0
http://www.nessus.org/u?37e50c37
http://www.nessus.org/u?21f1371b
http://www.nessus.org/u?4c563b16
http://www.nessus.org/u?b6ae04d9
Plugin Details
Severity: Medium
ID: 9104
Family: CGI
Published: 2/25/2016
Updated: 3/6/2019
Nessus ID: 83732
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Temporal Score: 5.4
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:phpmyadmin:phpmyadmin
Patch Publication Date: 5/13/2015
Vulnerability Publication Date: 5/12/2015
Reference Information
CVE: CVE-2015-3902, CVE-2015-3903