⚠ Exploited in the wild

Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2018-12613 — Improper Authentication in Phpmyadmin

CWE-287 — Improper Authentication15 documents11 sources

Severity

8.8HIGHNVD

EPSS

94.3%

top 0.06%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedJun 21

Latest updateMay 13

Description

An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) an…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDphpmyadmin/phpmyadmin4.8.0 — 4.8.2

▶Packagistphpmyadmin/phpmyadmin4.8 — 4.8.2

▶debiandebian/phpmyadmin

🔴Vulnerability Details

GHSA

phpMyAdmin Improper Authentication↗2022-05-13

▶

OSV

phpMyAdmin Improper Authentication↗2022-05-13

▶

VulnCheck

phpMyAdmin phpMyAdmin Improper Authentication↗2018

▶

💥Exploits & PoCs

Exploit-DB

phpMyAdmin 4.8.1 - Remote Code Execution (RCE)↗2021-10-25

▶

Exploit-DB

phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)↗2018-07-13

▶

Exploit-DB

phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)↗2018-06-22

▶

Exploit-DB

phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)↗2018-06-21

▶

Metasploit

phpMyAdmin Authenticated Remote Code Execution↗

▶

📋Vendor Advisories

Debian

CVE-2018-12613: phpmyadmin - An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker c...↗2018

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter October 2025↗

▶

📄Research Papers

arXiv

ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks↗2019-05-29

▶

💬Community

Bugzilla

CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4 [epel-all]↗2018-12-13

▶

Bugzilla

CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4↗2018-12-13

▶