Debian Phpmyadmin vulnerabilities

CVE-2006-3388 [MEDIUM] CVE-2006-3388: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remot... Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter. Scope: local bookworm: resolved (fixed in 4:2.8.2-0.1) bullseye: resolved (fixed in 4:2.8.2-0.1) forky: resolved (fixed in 4:2.8.2-0.1) sid: resolved (fixed in 4:2.8.2-0.1) trixie: resolved (fixed in 4:2.8.2-0

CVE-2006-1804 [HIGH] CVE-2006-1804: phpmyadmin - SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote att... SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to execute arbitrary SQL commands via the sql_query parameter. Scope: local bookworm: resolved (fixed in 4:2.8.1-1) bullseye: resolved (fixed in 4:2.8.1-1) forky: resolved (fixed in 4:2.8.1-1) sid: resolved (fixed in 4:2.8.1-1) trixie: resolved (fixed in 4:2.8.1-1)

CVE-2006-1803 [MEDIUM] CVE-2006-1803: phpmyadmin - Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allo... Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter. Scope: local bookworm: resolved (fixed in 4:2.8.1-1) bullseye: resolved (fixed in 4:2.8.1-1) forky: resolved (fixed in 4:2.8.1-1) sid: resolved (fixed in 4:2.8.1-1) trixie: resolved (fixed in 4:2.8

CVE-2006-6374 [HIGH] CVE-2006-6374: phpmyadmin - Multiple CRLF injection vulnerabilities in PhpMyAdmin 2.7.0-pl2 allow remote att... Multiple CRLF injection vulnerabilities in PhpMyAdmin 2.7.0-pl2 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a phpMyAdmin cookie in (1) css/phpmyadmin.css.php, (2) db_create.php, (3) index.php, (4) left.php, (5) libraries/session.inc.php, (6) libraries/transformations/overview.php, (7) que

CVE-2006-2031 [LOW] CVE-2006-2031: phpmyadmin - Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8... Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter. Scope: local bookworm: resolved (fixed in 4:2.8.1-1) bullseye: resolved (fixed in 4:2.8.1-1) forky: resolved (fixed in 4:2.8.1-1) sid: resolved (fixed in 4:2.8.1-1) trixi

CVE-2006-5116 [CRITICAL] CVE-2006-5116: phpmyadmin - Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before ... Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php,

CVE-2005-3299 [MEDIUM] CVE-2005-3299: phpmyadmin - PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and... PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. Scope: local bookworm: resolved (fixed in 4:2.6.4-pl2-1) bullseye: resolved (fixed in 4:2.6.4-pl2-1) forky: resolved (fixed in 4:2.6.4-pl2-1) sid: resolved (f

CVE-2005-3300 [MEDIUM] CVE-2005-3300: phpmyadmin - The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2... The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the _FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use grab_globals.php, then modifying certain configuration values for the theme. S

CVE-2005-0567 [HIGH] CVE-2005-0567: phpmyadmin - Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow rem... Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code. Scope: local bookworm: resolved (fixed in 3:2.6.

CVE-2005-3787 [MEDIUM] CVE-2005-3787: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-p... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl4 allow remote attackers to inject arbitrary web script or HTML via (1) the cookie-based login panel, (2) the title parameter and (3) the table creation dialog. Scope: local bookworm: resolved (fixed in 4:2.6.4-pl4-1) bullseye: resolved (fixed in 4:2.6.4-pl4-1) forky: resolved (fixed

CVE-2005-0543 [MEDIUM] CVE-2005-0543: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attac... Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in display_tbl_links.lib.php, the left_font_family parameter in theme_left.css.php, or the right_font_fami

CVE-2005-2869 [MEDIUM] CVE-2005-2869: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 a... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the Username to libraries/auth/cookie.auth.lib.php or (2) the error parameter to error.php. Scope: local bookworm: resolved (fixed in 4:2.6.4-pl1-1) bullseye: resolved (fixed in 4:2.6.4-pl1-1) forky: resolved (fixed

CVE-2005-0992 [MEDIUM] CVE-2005-0992: phpmyadmin - Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2... Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter. Scope: local bookworm: resolved (fixed in 3:2.6.2-rc1-1) bullseye: resolved (fixed in 3:2.6.2-rc1-1) forky: resolved (fixed in 3:2.6.2-rc1-1) sid: resolved (fixed in 3:2.6.2-rc1-1) trixi

CVE-2005-3621 [MEDIUM] CVE-2005-3621: phpmyadmin - CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows remote attack... CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows remote attackers to conduct HTTP response splitting attacks via unspecified scripts. Scope: local bookworm: resolved (fixed in 4:2.6.4-pl4-1) bullseye: resolved (fixed in 4:2.6.4-pl4-1) forky: resolved (fixed in 4:2.6.4-pl4-1) sid: resolved (fixed in 4:2.6.4-pl4-1) trixie: resolved (fixed in 4:2.6

CVE-2005-0653 [MEDIUM] CVE-2005-0653: phpmyadmin - phpMyAdmin 2.6.1 does not properly grant permissions on tables with an underscor... phpMyAdmin 2.6.1 does not properly grant permissions on tables with an underscore in the name, which grants remote authenticated users more privileges than intended. Scope: local bookworm: resolved (fixed in 3:2.6.1-pl3-1) bullseye: resolved (fixed in 3:2.6.1-pl3-1) forky: resolved (fixed in 3:2.6.1-pl3-1) sid: resolved (fixed in 3:2.6.1-pl3-1) trixie: resolved (

CVE-2005-0544 [MEDIUM] CVE-2005-0544: phpmyadmin - phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server v... phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exis

CVE-2005-3665 [MEDIUM] CVE-2005-3665: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.7.0 a... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation. Scope: local bookworm: resolved (fixed in 4:2.6.4-pl4-2) bullseye: resolved (fixed in 4:2.6.4-pl4-2) forky: res

CVE-2005-3301 [MEDIUM] CVE-2005-3301: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-p... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) left.php, (2) queryframe.php, or (3) server_databases.php. Scope: local bookworm: resolved (fixed in 4:2.6.4-pl3-1) bullseye: resolved (fixed in 4:2.6.4-pl3-1) forky: resolved (fixed in 4:2.6

CVE-2005-4349 [MEDIUM] CVE-2005-4349: phpmyadmin - SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows ... SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external at

CVE-2005-3622 [MEDIUM] CVE-2005-3622: phpmyadmin - phpMyAdmin 2.7.0-beta1 and earlier allows remote attackers to obtain the full pa... phpMyAdmin 2.7.0-beta1 and earlier allows remote attackers to obtain the full path of the server via direct requests to multiple scripts in the libraries directory. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open