Madhura Jayaratne

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions prior to 4.8.3 **Description** A Cross-Site Scripting issue has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature. **Recommendations** For versions prior to 4.8.3, update to version 4.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.6 phpMyAdmin versions 4.1.x through 4.1.14.7 phpMyAdmin versions 4.2.x through 4.2.12.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in resource consumption, by providing a long password. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.6, update to version 4.0.10.7 or later. For phpMyAdmin versions 4.1.x through 4.1.14.7, update to version 4.1.14.8 or later. For phpMyAdmin versions 4.2.x through 4.2.12.1, update to version 4.2.13.1 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.2.x through 4.2.13.0 **Description** A cross-site scripting (XSS) issue exists in the redirection feature of url.php, allowing remote attackers to inject arbitrary web script or HTML via the `url` parameter. **Recommendations** For phpMyAdmin versions 4.2.x through 4.2.13.0, update to version 4.2.13.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.5 phpMyAdmin versions 4.1.x through 4.1.14.6 phpMyAdmin versions 4.2.x through 4.2.12 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via various crafted inputs that are improperly handled during rendering of certain pages. This includes a crafted database, table, or column name during rendering of the table browse page, a crafted ENUM value during rendering of the table print view or zoom search page, or a crafted pma fontsize cookie during rendering of the home page. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.5, update to version 4.0.10.6 or later. For phpMyAdmin versions 4.1.x through 4.1.14.6, update to version 4.1.14.7 or later. For phpMyAdmin versions 4.2.x through 4.2.12, update to a version later than 4.2.12.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.1.x through 4.1.14.6 phpMyAdmin versions 4.2.x through 4.2.11 **Description** A directory traversal issue exists in the error-reporting feature, allowing remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. **Recommendations** For phpMyAdmin versions 4.1.x through 4.1.14.6, update to version 4.1.14.7 or later. For phpMyAdmin versions 4.2.x through 4.2.11, update to version 4.2.12 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.4 phpMyAdmin versions 4.1.x through 4.1.14.5 phpMyAdmin versions 4.2.x through 4.2.10.0 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via a crafted database name or table name. This is related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server status monitor.js code for the server monitor page. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.4, update to version 4.0.10.5 or later. For phpMyAdmin versions 4.1.x through 4.1.14.5, update to version 4.1.14.6 or later. For phpMyAdmin versions 4.2.x through 4.2.10.0, update to version 4.2.10.1 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.1.x through 4.1.14.6 phpMyAdmin versions 4.2.x through 4.2.11 **Description** A cross-site scripting (XSS) issue exists in the error-reporting feature of phpMyAdmin, allowing remote authenticated users to inject arbitrary web script or HTML via a crafted filename. This could potentially lead to unauthorized actions on the web application. **Recommendations** For phpMyAdmin versions 4.1.x through 4.1.14.6, update to version 4.1.14.7 or later. For phpMyAdmin versions 4.2.x through 4.2.11, update to version 4.2.12 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.5 phpMyAdmin versions 4.1.x through 4.1.14.6 phpMyAdmin versions 4.2.x through 4.2.11 **Description** The issue allows remote authenticated users to include and execute arbitrary local files via a crafted `geometry-type` parameter in the GIS editor. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.5, update to version 4.0.10.6 or later. For phpMyAdmin versions 4.1.x through 4.1.14.6, update to version 4.1.14.7 or later. For phpMyAdmin versions 4.2.x through 4.2.11, update to version 4.2.12 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.9 phpMyAdmin versions 4.2.x through 4.2.13.2 phpMyAdmin versions 4.3.x through 4.3.13.0 phpMyAdmin versions 4.4.x through 4.4.6.0 **Description** The issue allows remote attackers to hijack the authentication of administrators for requests that modify the configuration file due to multiple cross-site request forgery (CSRF) vulnerabilities in the setup process. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.9, update to version 4.0.10.10 or later. For phpMyAdmin versions 4.2.x through 4.2.13.2, update to version 4.2.13.3 or later. For phpMyAdmin versions 4.3.x through 4.3.13.0, update to version 4.3.13.1 or later. For phpMyAdmin versions 4.4.x through 4.4.6.0, update to version 4.4.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.9 phpMyAdmin versions 4.2.x through 4.2.13.2 phpMyAdmin versions 4.3.x through 4.3.13.0 phpMyAdmin versions 4.4.x through 4.4.6.0 **Description** The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate, as the verification of X.509 certificates for GitHub API calls over SSL is disabled. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.9, update to version 4.0.10.10 or later. For phpMyAdmin versions 4.2.x through 4.2.13.2, update to version 4.2.13.3 or later. For phpMyAdmin versions 4.3.x through 4.3.13.0, update to version 4.3.13.1 or later. For phpMyAdmin versions 4.4.x through 4.4.6.0, update to version 4.4.6.1 or later.