cbcvebase.
CVE-2021-29625
published 2021-05-19

CVE-2021-29625: Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB…

PriorityP344medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
9.57%
94.9th percentile
Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).

Affected

11 ranges
VendorProductVersion rangeFixed in
admineradminer>= 0 < 4.7.9-24.7.9-2
admineradminer>= 0 < 4.7.9-24.7.9-2
admineradminer>= 0 < 4.7.9-24.7.9-2
admineradminer>= 0 < 4.7.9-24.7.9-2
admineradminer>= 0 < 4.2.1-1ubuntu1+esm14.2.1-1ubuntu1+esm1
admineradminer>= 0 < 4.6.2-1ubuntu0.1~esm14.6.2-1ubuntu0.1~esm1
admineradminer>= 0 < 4.7.6-1ubuntu0.1~esm14.7.6-1ubuntu0.1~esm1
admineradminer>= 4.6.1 < 4.8.14.8.1
debianadminer< adminer 4.7.9-2 (bookworm)adminer 4.7.9-2 (bookworm)
vranaadminer
vranaadminer>= 4.7.8 < 4.8.14.8.1

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian7.5HIGH
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.