Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-2506 — Code Injection in Phpmyadmin

CWE-94 — Code Injection7 documents5 sources

Severity

7.5HIGHNVD

EPSS

33.7%

top 3.04%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedJul 14

Latest updateMay 14

Description

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶debiandebian/phpmyadmin< phpmyadmin 4:3.4.3.1-1 (bookworm)

▶Packagistphpmyadmin/phpmyadmin3.0 — 3.3.10.2+1

▶Debianphpmyadmin/phpmyadmin< 4:3.4.3.1-1+3

▶NVDphpmyadmin/phpmyadmin34 versions+33

Patches

Patch: www.phpmyadmin.net ↗Patch: www.phpmyadmin.net ↗

🔴Vulnerability Details

GHSA

phpMyAdmin vulnerable to static code injection↗2022-05-14

▶

OSV

phpMyAdmin vulnerable to static code injection↗2022-05-14

▶

OSV

CVE-2011-2506: setup/lib/ConfigGenerator↗2011-07-14

▶

💥Exploits & PoCs

Exploit-DB

phpMyAdmin 3.x - Swekey Remote Code Injection↗2011-07-09

▶

Exploit-DB

phpMyAdmin3 (pma3) - Remote Code Execution↗2011-07-08

▶

📋Vendor Advisories

Debian

CVE-2011-2506: phpmyadmin - setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x ...↗2011

▶