Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-2505Code Injection in Phpmyadmin

CWE-94Code InjectionCWE-20Improper Input Validation13 documents8 sources
Severity
6.4MEDIUMNVD
EPSS
37.0%
top 2.83%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
PhpmyadminDebian Phpmyadmin
Timeline
PublishedJul 14
Latest updateJun 11

Description

libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages4 packages

debiandebian/phpmyadmin< phpmyadmin 4:3.4.3.1-1 (bookworm)+1
Packagistphpmyadmin/phpmyadmin3.03.3.10.2+1
Debianphpmyadmin/phpmyadmin< 4:3.4.3.2-1+7
NVDphpmyadmin/phpmyadmin36 versions+35

Patches

Patch: www.phpmyadmin.netPatch: www.phpmyadmin.net

🔴Vulnerability Details

6
OSV
phpMyAdmin remote variable manipulation2022-05-14
GHSA
phpMyAdmin remote variable manipulation2022-05-14
GHSA
GHSA-fmmw-6q24-3wqx: libraries/auth/swekey/swekey2022-05-14
OSV
CVE-2011-2719: libraries/auth/swekey/swekey2011-08-01
OSV
CVE-2011-2505: libraries/auth/swekey/swekey2011-07-14

💥Exploits & PoCs

2
Exploit-DB
phpMyAdmin 3.x - Swekey Remote Code Injection2011-07-09
Exploit-DB
phpMyAdmin3 (pma3) - Remote Code Execution2011-07-08

📋Vendor Advisories

2
Debian
CVE-2011-2505: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature i...2011
Debian
CVE-2011-2719: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and ...2011

📄Research Papers

1
arXiv
Mapping NVD Records to Their VFCs: How Hard is it?2025-06-11