Debian Phpmyadmin vulnerabilities

CVE-2007-5386 [MEDIUM] CVE-2007-5386: phpmyadmin - Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11... Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string. Scope: local bookworm: resolved (fixed in 4:2.11.1.2-1) bullseye: resolved (fixed in 4:2.11.1.2-1) forky: resolved (fixed in 4:2.11.1.

CVE-2007-1325 [LOW] CVE-2007-1325: phpmyadmin - The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin be... The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin before 2.10.0.2 does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions. NOTE: it could be argued that this vulnerability is caused by a problem in PHP (CVE-2006-1549) a

CVE-2007-2245 [MEDIUM] CVE-2007-2245: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.10.1.... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.10.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the fieldkey parameter to browse_foreigners.php or (2) certain input to the PMA_sanitize function. Scope: local bookworm: resolved (fixed in 4:2.10.1-1) bullseye: resolved (fixed in 4:2.10.1-1) forky: resolved (fi

CVE-2007-0204 [MEDIUM] CVE-2007-0204: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-r... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. Scope: local bookworm: resolved (fixed in 4:2.9.1.1-2) bullseye: resolved (fixed in 4:2.9.1.1-2) forky: resolved (fixed in 4

CVE-2007-0203 [CRITICAL] CVE-2007-0203: phpmyadmin - Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown... Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors. Scope: local bookworm: resolved (fixed in 4:2.9.1.1-2) bullseye: resolved (fixed in 4:2.9.1.1-2) forky: resolved (fixed in 4:2.9.1.1-2) sid: resolved (fixed in 4:2.9.1.1-2) trixie: resolved (fixed in 4:2.9.1.1-2)

CVE-2007-0095 [MEDIUM] CVE-2007-0095: phpmyadmin - phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a... phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message. Scope: local bookworm: resolved (fixed in 4:2.9.1.1-1) bullseye: resolved (fixed in 4:2.9.1.1-1) forky: resolved (fixed in 4:2.9.1.1-1) sid: resolved (fixed in 4:2.9.1.1-1) trixie: r

CVE-2007-5977 [MEDIUM] CVE-2007-5977: phpmyadmin - Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2... Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942. Scope: local bookworm: resolved (fixed in 4:2.11.2.1-1) b

CVE-2007-4306 [MEDIUM] CVE-2007-4306: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.10.3 allow r... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.10.3 allow remote attackers to inject arbitrary web script or HTML via the (1) unlim_num_rows, (2) sql_query, or (3) pos parameter to (a) tbl_export.php; the (4) session_max_rows or (5) pos parameter to (b) sql.php; the (6) username parameter to (c) server_privileges.php; or the (7) sql_query par

CVE-2007-5976 [MEDIUM] CVE-2007-5976: phpmyadmin - SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allow... SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to execute arbitrary SQL commands via the db parameter. Scope: local bookworm: resolved (fixed in 4:2.11.2.1-1) bullseye: resolved (fixed in 4:2.11.2.1-1) forky: resolved (fixed in 4:2.11.2.1-1) sid: resolved (fixed in 4:2.1

CVE-2007-2016 [MEDIUM] CVE-2007-2016: phpmyadmin - Cross-site scripting (XSS) vulnerability in mysql/phpinfo.php in phpMyAdmin 2.6.... Cross-site scripting (XSS) vulnerability in mysql/phpinfo.php in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the lang[] parameter. Scope: local bookworm: resolved (fixed in 4:2.6.2-3) bullseye: resolved (fixed in 4:2.6.2-3) forky: resolved (fixed in 4:2.6.2-3) sid: resolved (fixed in 4:2.6.2-3) trixie: resolved (fixed in 4:

CVE-2006-6944 [HIGH] CVE-2006-6944: phpmyadmin - phpMyAdmin before 2.9.1.1 allows remote attackers to bypass Allow/Deny access ru... phpMyAdmin before 2.9.1.1 allows remote attackers to bypass Allow/Deny access rules that use IP addresses via false headers. Scope: local bookworm: resolved (fixed in 4:2.9.1.1-2) bullseye: resolved (fixed in 4:2.9.1.1-2) forky: resolved (fixed in 4:2.9.1.1-2) sid: resolved (fixed in 4:2.9.1.1-2) trixie: resolved (fixed in 4:2.9.1.1-2)

CVE-2006-6942 [MEDIUM] CVE-2006-6942: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1... Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_lat

CVE-2006-1258 [MEDIUM] CVE-2006-1258: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote att... Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter. Scope: local bookworm: resolved (fixed in 4:2.8.0.2-2) bullseye: resolved (fixed in 4:2.8.0.2-2) forky: resolved (fixed in 4:2.8.0.2-2) sid: resolved (fixed in 4:2.8.0.2-2) trixie: resolved (fixed in 4:2.8.0.2-

CVE-2006-2418 [MEDIUM] CVE-2006-2418: phpmyadmin - Cross-site scripting (XSS) vulnerabilities in certain versions of phpMyAdmin bef... Cross-site scripting (XSS) vulnerabilities in certain versions of phpMyAdmin before 2.8.0.4 allow remote attackers to inject arbitrary web script or HTML via the db parameter in unknown scripts. Scope: local bookworm: resolved (fixed in 4:2.8.1-1) bullseye: resolved (fixed in 4:2.8.1-1) forky: resolved (fixed in 4:2.8.1-1) sid: resolved (fixed in 4:2.8.1-1) trixi

CVE-2006-2417 [LOW] CVE-2006-2417: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before 2.8.0.4 al... Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before 2.8.0.4 allows remote attackers to inject arbitrary web script or HTML via the theme parameter in unknown scripts. NOTE: the lang parameter is already covered by CVE-2006-2031. Scope: local bookworm: resolved (fixed in 4:2.8.1-1) bullseye: resolved (fixed in 4:2.8.1-1) forky: resolved (fixed in 4:

CVE-2006-1678 [MEDIUM] CVE-2006-1678: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.8.0.3... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.8.0.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors in unspecified scripts in the themes directory. Scope: local bookworm: resolved (fixed in 4:2.8.0.3-1) bullseye: resolved (fixed in 4:2.8.0.3-1) forky: resolved (fixed in 4:2.8.0.3-1) sid: resolved (fix

CVE-2006-5117 [MEDIUM] CVE-2006-5117: phpmyadmin - phpMyAdmin before 2.9.1-rc1 has a libraries directory under the web document roo... phpMyAdmin before 2.9.1-rc1 has a libraries directory under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via direct requests for certain files. Scope: local bookworm: resolved (fixed in 4:2.9.0.2-0.1) bullseye: resolved (fixed in 4:2.9.0.2-0.1) forky: resolved (fixed in 4:2.9.0.2-0.1) sid: r

CVE-2006-6373 [MEDIUM] CVE-2006-6373: phpmyadmin - PhpMyAdmin 2.7.0-pl2 allows remote attackers to obtain sensitive information via... PhpMyAdmin 2.7.0-pl2 allows remote attackers to obtain sensitive information via a direct request for libraries/common.lib.php, which reveals the path in an error message. Scope: local bookworm: resolved (fixed in 4:2.9.1.1-1) bullseye: resolved (fixed in 4:2.9.1.1-1) forky: resolved (fixed in 4:2.9.1.1-1) sid: resolved (fixed in 4:2.9.1.1-1) trixie: resolved (fi

CVE-2006-6943 [MEDIUM] CVE-2006-6943: phpmyadmin - PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path... PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php; and via the (1) lang[], (2) target[], (3) db[], (4) goto[], (5) table[], and (6) tbl_group[] array arguments to (c) index.php, and the (7) back[] argument to (d) sql.php; and an invalid (

CVE-2006-5718 [MEDIUM] CVE-2006-5718: phpmyadmin - Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2.6.4 throug... Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2.6.4 through 2.9.0.2 allows remote attackers to inject arbitrary web script or HTML via UTF-7 or US-ASCII encoded characters, which are injected into an error message, as demonstrated by a request with a utf7 charset parameter accompanied by UTF-7 data. Scope: local bookworm: resolved (fixed in