cbcvebase.
CVE-2017-1000499
published 2018-01-03

CVE-2017-1000499: phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform…

PriorityP259high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.46%
94.3th percentile
phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianphpmyadmin
phpmyadminphpmyadmin>= 4.7 < 4.7.74.7.7
phpmyadminphpmyadmin>= 4.7.0 < 4.7.74.7.7

Detection & IOCsextracted from sources · hover to see the quote

domainvulnspy.com
  • Monitor for unexpected HTTP POST requests to phpMyAdmin endpoints originating from cross-origin referrers, which may indicate CSRF exploitation — particularly requests performing DROP, TRUNCATE, or DELETE database operations.
  • Detect outbound DNS queries from the database server containing hex-encoded or plaintext credential strings followed by an attacker-controlled domain (DNS exfiltration via LOAD_FILE/CONCAT pattern).
  • Alert on MySQL SELECT ... INTO OUTFILE statements writing PHP files to web-accessible directories (e.g. /var/www/html/), which indicates CSRF-driven arbitrary file write exploitation.
  • Affected versions are phpMyAdmin 4.7.0 through 4.7.6; flag installations running these versions as unpatched. Versions older than 4.7.0 are not affected.
  • ·The CSRF exploit requires the victim DB admin to have an active authenticated phpMyAdmin session at the time of exploitation — no session means no impact.
  • ·Only phpMyAdmin 4.7.x (4.7.0–4.7.6) is affected; versions prior to 4.7.0 are explicitly listed as unaffected, so do not apply detections broadly to older installs.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.