cbcvebase.
CVE-2011-4107
published 2011-11-17

CVE-2011-4107: The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows…

PriorityP350medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
12.85%
95.8th percentile
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphpmyadmin< phpmyadmin 4:3.4.7.1-1 (bookworm)phpmyadmin 4:3.4.7.1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
phpmyadminphpmyadmin>= 0 < 4:3.4.7.1-14:3.4.7.1-1
phpmyadminphpmyadmin>= 0 < 4:3.4.7.1-14:3.4.7.1-1
phpmyadminphpmyadmin>= 0 < 4:3.4.7.1-14:3.4.7.1-1
phpmyadminphpmyadmin>= 0 < 4:3.4.7.1-14:3.4.7.1-1
phpmyadminphpmyadmin>= 3.3.0 < 3.3.10.53.3.10.5
phpmyadminphpmyadmin>= 3.3.0.0 < 3.3.10.53.3.10.5
phpmyadminphpmyadmin>= 3.4.0 < 3.4.7.13.4.7.1
phpmyadminphpmyadmin>= 3.4.0.0 < 3.4.7.13.4.7.1

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.