Debian Phpmyadmin vulnerabilities

CVE-2011-0986 [MEDIUM] CVE-2011-0986: phpmyadmin - phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly ... phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. Scope: local bookworm: resolved (fixed in 4:3.3.9.2-1) bullseye: resolved (fixed in 4:3.3.9.2-1) forky

CVE-2011-2506 [HIGH] CVE-2011-2506: phpmyadmin - setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x ... setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. Scope: local bookworm: resolved (fixed in 4:3.4.3.1-1) bullseye

CVE-2011-2719 [MEDIUM] CVE-2011-2719: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and ... libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to

CVE-2011-2642 [LOW] CVE-2011-2642: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in the table Print view impl... Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name. Scope: local bookworm: resolved (fixed in 4:3.4.3.2-1) bullseye: resolved (fixed in 4:3.4.3.2-1) forky:

CVE-2011-4064 [MEDIUM] CVE-2011-4064: phpmyadmin - Cross-site scripting (XSS) vulnerability in the setup interface in phpMyAdmin 3.... Cross-site scripting (XSS) vulnerability in the setup interface in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary web script or HTML via a crafted value. Scope: local bookworm: resolved (fixed in 4:3.4.6-1) bullseye: resolved (fixed in 4:3.4.6-1) forky: resolved (fixed in 4:3.4.6-1) sid: resolved (fixed in 4:3.4.6-1) trixie: resolved (f

CVE-2011-4780 [MEDIUM] CVE-2011-4780: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.... Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections. Scope: local bookworm: resolved (fixed in 4:3.4.9-1) bullseye: resol

CVE-2011-4634 [MEDIUM] CVE-2011-4634: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted

CVE-2010-3055 [HIGH] CVE-2010-3055: phpmyadmin - The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x befo... The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. Scope: local bookworm: resolved (fixed in 4:3.0.0) bullseye: resolved (fixed in 4:3.0.0) forky: resolved (fixed in 4:3.0.0) sid:

CVE-2010-4481 [MEDIUM] CVE-2010-4481: phpmyadmin - phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication a... phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. Scope: local bookworm: resolved (fixed in 4:3.3.7-3) bullseye: resolved (fixed in 4:3.3.7-3) forky: resolved (fixed in 4:3.3.7-3) sid: resolved (fixed in 4:3.3.7-3) trixie: resolved

CVE-2010-3056 [MEDIUM] CVE-2010-3056: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before ... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi

CVE-2010-4329 [MEDIUM] CVE-2010-4329: phpmyadmin - Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in lib... Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request. Scope: local bookworm: resolved (fixed in 4:3.3.7-2) bullseye: resolved (fixed in

CVE-2010-2958 [MEDIUM] CVE-2010-2958: phpmyadmin - Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in phpMyAd... Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in phpMyAdmin 3.x before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to a PHP backtrace and error messages (aka debugging messages), a different vulnerability than CVE-2010-3056. Scope: local bookworm: resolved (fixed in 4:3.3.6-1) bullseye: resolved

CVE-2010-4480 [MEDIUM] CVE-2010-4480: phpmyadmin - error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows r... error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]". Scope: local bookworm: resolved (fixed in 4:3.3.7-3) bullseye: resolved (fixed in 4:3.3.7-3) forky: resolved (fixed in 4:3.3.7-3) sid

CVE-2010-3263 [MEDIUM] CVE-2010-3263: phpmyadmin - Cross-site scripting (XSS) vulnerability in setup/frames/index.inc.php in the se... Cross-site scripting (XSS) vulnerability in setup/frames/index.inc.php in the setup script in phpMyAdmin 3.x before 3.3.7 allows remote attackers to inject arbitrary web script or HTML via a server name. Scope: local bookworm: resolved (fixed in 4:3.3.7-1) bullseye: resolved (fixed in 4:3.3.7-1) forky: resolved (fixed in 4:3.3.7-1) sid: resolved (fixed in 4:3.3.7

CVE-2009-1151 [CRITICAL] CVE-2009-1151: phpmyadmin - Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.1... Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Scope: local bookworm: resolved (fixed in 4:3.1.3.1-1) bullseye: resolved (fixed in 4:3.1.3.1-1) forky: resolved (fixed in 4:3.1.3.1-1) sid: resolved (fix

CVE-2009-3697 [HIGH] CVE-2009-3697: phpmyadmin - SQL injection vulnerability in the PDF schema generator functionality in phpMyAd... SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. Scope: local bookworm: resolved (fixed in 4:3.2.2.1-1) bullseye: resolved (fixed in 4:3.2.2.1-1) forky: resolved (fixed in 4:3.2.2.1-1) sid:

CVE-2009-1149 [HIGH] CVE-2009-1149: phpmyadmin - CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming f... CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters. Scope: local bookworm: resolved (fixed in 4:3.1.3.1-1) bullseye: resolved (fixed in 4:3.1.3.

CVE-2009-2284 [MEDIUM] CVE-2009-2284: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 allows rem... Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted SQL bookmark. Scope: local bookworm: resolved (fixed in 4:3.2.0.1-1) bullseye: resolved (fixed in 4:3.2.0.1-1) forky: resolved (fixed in 4:3.2.0.1-1) sid: resolved (fixed in 4:3.2.0.1-1) trixie: resolved (fixed in 4:3.

CVE-2009-1150 [MEDIUM] CVE-2009-1150: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_... Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie. Scope: local bookworm: resolved (fixed in 4:3.1.3.1-1) bullseye: resolved (fixed in 4:3.1.3.1-1) forky: re

CVE-2009-1148 [MEDIUM] CVE-2009-1148: phpmyadmin - Directory traversal vulnerability in bs_disp_as_mime_type.php in the BLOB stream... Directory traversal vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to read arbitrary files via directory traversal sequences in the file_path parameter ($filename variable). Scope: local bookworm: resolved (fixed in 4:3.1.3.1-1) bullseye: resolved (fixed in 4:3.1.3.1-1) forky: resolved