PT-2019-5541 · Phpmyadmin+4 · Phpmyadmin+4

William Desportes

Published

2019-06-05

Updated

2024-06-15

CVE-2019-11768

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions phpMyAdmin versions prior to 4.9.0.1

Description The issue is related to a specially crafted database name that can trigger an SQL injection attack through the designer feature. This is due to the lack of protection measures for the SQL query structure in the designer feature, specifically in the move.js file. An attacker can exploit this to execute arbitrary code remotely.

Recommendations For versions prior to 4.9.0.1, update to version 4.9.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the designer feature until a patch is available. Restrict access to the move.js file to minimize the risk of exploitation. Avoid using specially crafted database names in the affected feature until the issue is resolved.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2019-2041

ALT-PU-2020-3212

ALT-PU-2021-3657

BDU:2020-03949

CVE-2019-11768

GHSA-X37V-98F9-MJ32

MGASA-2019-0200

OPENSUSE-SU-2019:1689-1

OPENSUSE-SU-2019:1861-1

OPENSUSE-SU-2019_1689-1

OPENSUSE-SU-2024:11171-1

USN-4639-1

USN-4843-1

Affected Products

Alt Linux

Linuxmint

Suse

Ubuntu

Phpmyadmin

PT-2019-5541 · Phpmyadmin+4 · Phpmyadmin+4

CVE-2019-11768

Weakness Enumeration

Related Identifiers

Affected Products

References · 139