Debian Phpmyadmin vulnerabilities

CVE-2014-5274 [LOW] CVE-2014-5274: phpmyadmin - Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdm... Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js. Scope: local bookworm: resolved (fixed in 4:4.2.7.1-1) bullseye: resolved (fixed in 4:4.2.7.1-1) forky: resolved

CVE-2013-5003 [MEDIUM] CVE-2013-5003: phpmyadmin - Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.... Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to execute arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in 4:4.0.4.2-1)

CVE-2013-3239 [MEDIUM] CVE-2013-3239: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory... phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. Scope: local bookw

CVE-2013-5029 [MEDIUM] CVE-2013-5029: phpmyadmin - phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to bypass the cl... phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to bypass the clickjacking protection mechanism via certain vectors related to Header.class.php. Scope: local bookworm: resolved (fixed in 4:4.0.5-1) bullseye: resolved (fixed in 4:4.0.5-1) forky: resolved (fixed in 4:4.0.5-1) sid: resolved (fixed in 4:4.0.5-1) trixie: resolved (fixed in 4:4.0.5-1)

CVE-2013-4996 [MEDIUM] CVE-2013-4996: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted database name, (2) a crafted user name, (3) a crafted logo URL in the navigation panel, (4) a crafted entry in a certain proxy list, or (5) crafted content

CVE-2013-4997 [MEDIUM] CVE-2013-4997: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in

CVE-2013-4729 [MEDIUM] CVE-2013-4729: phpmyadmin - import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the abili... import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. Scope: local bookworm: resolved (fixed in 4:4.0.4.1-1) bullseye: resolved (fixed in 4:4.0.4.1-1

CVE-2013-1937 [MEDIUM] CVE-2013-1937: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php... Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable. Scope: local bookworm: resolved bul

CVE-2013-4995 [LOW] CVE-2013-4995: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and ... Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in 4:4.0.4.2-1) forky

CVE-2013-5001 [LOW] CVE-2013-5001: phpmyadmin - Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/ab... Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1)

CVE-2013-3241 [MEDIUM] CVE-2013-3241: phpmyadmin - export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites... export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-3742 [LOW] CVE-2013-3742: phpmyadmin - Cross-site scripting (XSS) vulnerability in view_create.php (aka the Create View... Cross-site scripting (XSS) vulnerability in view_create.php (aka the Create View page) in phpMyAdmin 4.x before 4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via an invalid SQL CREATE VIEW statement with a crafted name that triggers an error message. Scope: local bookworm: resolved (fixed in 4:4.0.1-3) bullseye: resolved (fixed in 4:

CVE-2013-3238 [MEDIUM] CVE-2013-3238: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticat... phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-4998 [MEDIUM] CVE-2013-4998: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers... phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to pmd_common.php and other files. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in 4:4.0.4.2-1) forky: resolved (fixed in 4:4.0

CVE-2013-4999 [MEDIUM] CVE-2013-4999: phpmyadmin - phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive info... phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in 4:4.0.4.2-1) forky: resolved (fixed in 4:4.0.4.2-1) sid:

CVE-2013-5000 [MEDIUM] CVE-2013-5000: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive info... phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to config.default.php and other files. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in 4:4.0.4.2-1) forky: resolved (fixed in 4:4.0.4.2-1) sid: resolved

CVE-2013-3240 [MEDIUM] CVE-2013-3240: phpmyadmin - Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before... Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-5002 [LOW] CVE-2013-5002: phpmyadmin - Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Sch... Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. Scope: local bookworm: resolved (fixed in 4:4.0.4.2-1) bullseye: resolved (fixed in 4:4.

CVE-2012-4219 [MEDIUM] CVE-2012-4219: phpmyadmin - show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attacker... show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. Scope: local bookworm: resolved (fixed in 4:4.0.1-1) bullseye: resolved (fixed in 4:4.0.1-1) forky: resolve

CVE-2012-5159 [HIGH] CVE-2012-5159: phpmyadmin - phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspe... phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: