The version of phpMyAdmin installed on the remote web server is 4.9.x prior to 4.9.8 or 5.1.x prior to 5.1.2. It is, therefore, affected by a flaw which may permit a user to bypass two factor authentication for their account. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202311-17 (phpMyAdmin: Multiple Vulnerabilities)

  - PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating     invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.
    (CVE-2022-0813)

  - An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already     authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future     login instances. (CVE-2022-23807)

  - An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects     of the setup script, which can allow XSS or HTML injection. (CVE-2022-23808)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already     authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future     login instances. (CVE-2022-23807)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0047-1 advisory.

  - PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating     invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.
    (CVE-2022-0813)

  - An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already     authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future     login instances. (CVE-2022-23807)

  - An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects     of the setup script, which can allow XSS or HTML injection. (CVE-2022-23808)

  - In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a     crafted .sql file through the drag-and-drop interface. (CVE-2023-25727)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
113305	phpMyAdmin 4.9.x < 4.9.8 Two Factor Authentication Bypass	Web App Scanning	Component Vulnerability	7/11/2022	3/14/2023	medium
113306	phpMyAdmin 5.1.x < 5.1.2 Two Factor Authentication Bypass	Web App Scanning	Component Vulnerability	7/11/2022	3/14/2023	medium
186286	GLSA-202311-17 : phpMyAdmin: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	11/26/2023	11/26/2023	high
229642	Linux Distros Unpatched Vulnerability : CVE-2022-23807	Nessus	Misc.	3/5/2025	4/29/2026	medium
171533	openSUSE 15 Security Update : phpMyAdmin (openSUSE-SU-2023:0047-1)	Nessus	SuSE Local Security Checks	2/16/2023	2/16/2023	high

Detections

Analytics

Plugins Search

medium

medium

high

medium

high