Action not permitted
Modal body text goes here.
Modal Title
Modal Body
ubuntu-cve-2019-11768
Vulnerability from osv_ubuntu
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.5.4.1-2ubuntu2.1+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.5.4.1-2ubuntu2.1+esm3?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.5.4.1-2ubuntu2.1+esm3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.4.13.1-1",
"4:4.5.0.2-2",
"4:4.5.1-1",
"4:4.5.1-2",
"4:4.5.1-3",
"4:4.5.2-1",
"4:4.5.2-2",
"4:4.5.3.1-1",
"4:4.5.4-1",
"4:4.5.4.1-2",
"4:4.5.4.1-2ubuntu1",
"4:4.5.4.1-2ubuntu2",
"4:4.5.4.1-2ubuntu2.1",
"4:4.5.4.1-2ubuntu2.1+esm2"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.6.6-5ubuntu0.5"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.6.6-5ubuntu0.5?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.6.6-5ubuntu0.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.6.6-5"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:5.1.1+dfsg1-5ubuntu1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:5.1.1+dfsg1-5ubuntu1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:5.0.4+dfsg2-2ubuntu5",
"4:5.1.1+dfsg1-5ubuntu1"
]
}
],
"aliases": [],
"details": "An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.",
"id": "UBUNTU-CVE-2019-11768",
"modified": "2025-09-08T16:45:25Z",
"published": "2019-06-05T05:29:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-11768"
},
{
"type": "REPORT",
"url": "https://www.phpmyadmin.net/security/PMASA-2019-3/"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4639-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4843-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11768"
}
],
"related": [
"USN-4639-1",
"USN-4843-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2019-11768"
]
}
CVE-2019-11768 (GCVE-0-2019-11768)
Vulnerability from cvelistv5 – Published: 2019-06-05 04:25 – Updated: 2024-08-04 23:03- n/a
| URL | Tags |
|---|---|
| https://www.phpmyadmin.net/security/PMASA-2019-3/ | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/108617 | vdb-entryx_refsource_BID |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2019-3/"
},
{
"name": "108617",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108617"
},
{
"name": "FEDORA-2019-13d2ba0aed",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/II4HC4QO6WUL2IRSQKCB66UBJOLLI5OV/"
},
{
"name": "FEDORA-2019-33649e2e64",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKJMYVXEDXGEGRO42T6H6VOEZJ65QPQ7/"
},
{
"name": "openSUSE-SU-2019:1689",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00005.html"
},
{
"name": "openSUSE-SU-2019:1861",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-14T08:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2019-3/"
},
{
"name": "108617",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108617"
},
{
"name": "FEDORA-2019-13d2ba0aed",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/II4HC4QO6WUL2IRSQKCB66UBJOLLI5OV/"
},
{
"name": "FEDORA-2019-33649e2e64",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKJMYVXEDXGEGRO42T6H6VOEZJ65QPQ7/"
},
{
"name": "openSUSE-SU-2019:1689",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00005.html"
},
{
"name": "openSUSE-SU-2019:1861",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00017.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11768",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phpmyadmin.net/security/PMASA-2019-3/",
"refsource": "CONFIRM",
"url": "https://www.phpmyadmin.net/security/PMASA-2019-3/"
},
{
"name": "108617",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108617"
},
{
"name": "FEDORA-2019-13d2ba0aed",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/II4HC4QO6WUL2IRSQKCB66UBJOLLI5OV/"
},
{
"name": "FEDORA-2019-33649e2e64",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKJMYVXEDXGEGRO42T6H6VOEZJ65QPQ7/"
},
{
"name": "openSUSE-SU-2019:1689",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00005.html"
},
{
"name": "openSUSE-SU-2019:1861",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00017.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11768",
"datePublished": "2019-06-05T04:25:10.000Z",
"dateReserved": "2019-05-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T23:03:32.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
usn-4639-1
Vulnerability from osv_ubuntu
It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive files. (CVE-2018-19968)
It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this for an XSS attack. (CVE-2018-19970)
It was discovered that phpMyAdmin mishandled certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack via a crafted URL. (CVE-2018-7260)
It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database name. (CVE-2019-11768)
It was discovered that phpmyadmin incorrectly handled some requests. An attacker could possibly use this to perform a CSRF attack. (CVE-2019-12616)
It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted username. (CVE-2019-6798, CVE-2020-10804, CVE-2020-5504)
It was discovered that phpMyAdmin would allow sensitive files to be leaked if certain configuration options were set. An attacker could use this vulnerability to access confidential information. (CVE-2019-6799)
It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database or table name. (CVE-2020-10802)
It was discovered that phpMyAdmin did not properly handle data from the database when displaying it. If an attacker were to insert specially- crafted data into certain database tables, the attacker could execute a cross-site scripting (XSS) attack. (CVE-2020-10803)
It was discovered that phpMyAdmin was vulnerable to an XSS attack. If a victim were to click on a crafted link, an attacker could run malicious JavaScript on the victim's system. (CVE-2020-26934)
It was discovered that phpMyAdmin did not properly handler certain SQL statements in the search feature. An attacker could use this vulnerability to inject malicious SQL into a query. (CVE-2020-26935)
It was discovered that phpMyAdmin did not properly sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection or a cross-site scripting (XSS) attack. (CVE-2019-19617)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2018-7260",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2018-19968",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2018-19970",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-6798",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-6799",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-11768",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-12616",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-19617",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-5504",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-10802",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-10803",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-10804",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-26934",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-26935",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.6.6-5ubuntu0.5"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.6.6-5ubuntu0.5?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.6.6-5ubuntu0.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.6.6-5"
]
}
],
"aliases": [],
"details": "It was discovered that there was a bug in the way phpMyAdmin handles the\nphpMyAdmin Configuration Storage tables. An authenticated attacker could\nuse this vulnerability to cause phpmyAdmin to leak sensitive files.\n(CVE-2018-19968)\n\nIt was discovered that phpMyAdmin incorrectly handled user input. An\nattacker could possibly use this for an XSS attack. (CVE-2018-19970)\n\nIt was discovered that phpMyAdmin mishandled certain input. An attacker\ncould use this vulnerability to execute a cross-site scripting (XSS) attack\nvia a crafted URL. (CVE-2018-7260)\n\nIt was discovered that phpMyAdmin failed to sanitize certain input. An\nattacker could use this vulnerability to execute an SQL injection attack\nvia a specially crafted database name. (CVE-2019-11768)\n\nIt was discovered that phpmyadmin incorrectly handled some requests. An\nattacker could possibly use this to perform a CSRF attack. (CVE-2019-12616)\n\nIt was discovered that phpMyAdmin failed to sanitize certain input. An\nattacker could use this vulnerability to execute an SQL injection attack\nvia a specially crafted username. (CVE-2019-6798, CVE-2020-10804,\nCVE-2020-5504)\n\nIt was discovered that phpMyAdmin would allow sensitive files to be leaked\nif certain configuration options were set. An attacker could use this\nvulnerability to access confidential information. (CVE-2019-6799)\n\nIt was discovered that phpMyAdmin failed to sanitize certain input. An\nattacker could use this vulnerability to execute an SQL injection attack\nvia a specially crafted database or table name. (CVE-2020-10802)\n\nIt was discovered that phpMyAdmin did not properly handle data from the\ndatabase when displaying it. If an attacker were to insert specially-\ncrafted data into certain database tables, the attacker could execute a\ncross-site scripting (XSS) attack. (CVE-2020-10803)\n\nIt was discovered that phpMyAdmin was vulnerable to an XSS attack. If a\nvictim were to click on a crafted link, an attacker could run malicious\nJavaScript on the victim\u0027s system. (CVE-2020-26934)\n\nIt was discovered that phpMyAdmin did not properly handler certain SQL\nstatements in the search feature. An attacker could use this vulnerability\nto inject malicious SQL into a query. (CVE-2020-26935)\n\nIt was discovered that phpMyAdmin did not properly sanitize certain input.\nAn attacker could use this vulnerability to possibly execute an HTML injection\nor a cross-site scripting (XSS) attack. (CVE-2019-19617)\n",
"id": "USN-4639-1",
"modified": "2026-04-27T14:11:26Z",
"published": "2020-11-19T15:01:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4639-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-7260"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-19968"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-19970"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-6798"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-6799"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-11768"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-12616"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-19617"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-5504"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-10802"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-10803"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-10804"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-26934"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-26935"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "phpmyadmin vulnerabilities",
"upstream": [
"UBUNTU-CVE-2018-7260",
"UBUNTU-CVE-2018-19968",
"UBUNTU-CVE-2018-19970",
"UBUNTU-CVE-2019-6798",
"UBUNTU-CVE-2019-6799",
"UBUNTU-CVE-2019-11768",
"UBUNTU-CVE-2019-12616",
"UBUNTU-CVE-2019-19617",
"UBUNTU-CVE-2020-5504",
"UBUNTU-CVE-2020-10802",
"UBUNTU-CVE-2020-10803",
"UBUNTU-CVE-2020-10804",
"UBUNTU-CVE-2020-26934",
"UBUNTU-CVE-2020-26935"
]
}
usn-4843-1
Vulnerability from osv_ubuntu
Javier Nieto and Andres Rojas discovered that phpMyAdmin incorrectly managed input in the form of passwords. An attacker could use this vulnerability to cause a denial-of-service (DoS). This issue only affected Ubuntu 14.04 ESM. (CVE-2014-9218)
Emanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize input in the form of database names in the PHP Array export feature. An authenticated attacker could use this vulnerability to run arbitrary PHP commands. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-6609)
Emanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize input. An attacker could use this vulnerability to execute SQL injection attacks. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-6619)
Emanuel Bronshtein discovered that phpMyadmin failed to properly sanitize input. An authenticated attacker could use this vulnerability to cause a denial-of-service (DoS). This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-6630)
Emanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize input. An attacker could use this vulnerability to bypass AllowRoot restrictions and deny rules for usernames. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-9849)
Emanuel Bronshtein discovered that phpMyAdmin would allow sensitive information to be leaked when the argument separator in a URL was not the default & value. An attacker could use this vulnerability to obtain the CSRF token of a user. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-9866)
Isaac Bennetch discovered that phpMyAdmin was incorrectly restricting user access due to the behavior of the substr function on some PHP versions. An attacker could use this vulnerability to bypass login restrictions established for users that have no password set. This issue only affected Ubuntu 14.04 ESM. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2017-18264)
Emanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize input in the form of parameters sent during a table editing operation. An attacker could use this vulnerability to trigger an endless recursion and cause a denial-of-service (DoS). This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2017-1000014)
Emanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize input used to generate a web page. An authenticated attacker could use this vulnerability to execute CSS injection attacks. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2017-1000015)
It was discovered that phpMyAdmin incorrectly handled certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack via a crafted URL. This issue only affected Ubuntu 16.04 ESM. (CVE-2018-7260)
It was discovered phpMyAdmin incorrectly handled database names. An attacker could possibly use this to trigger a cross-site scripting attack. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2018-12581)
Daniel Le Gall discovered that phpMyAdmin would expose sensitive information to unauthorized actors due to an error in its transformation feature. An authenticated attacker could use this vulnerability to leak the contents of a local file. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2018-19968)
It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this to perform a cross-site scripting attack. This issue only affected Ubuntu 16.04 ESM. (CVE-2018-19970)
It was discovered that phpMyAdmin failed to properly sanitize input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database name. This issue only affected Ubuntu 16.04 ESM. (CVE-2019-11768)
It was discovered that phpMyAdmin incorrectly handled some requests. An attacker could possibly use this to perform a cross site request forgery attack. This issue only affected Ubuntu 16.04 ESM. (CVE-2019-12616)
It was discovered that phpMyAdmin incorrectly handled some requests. An attacker could possibly use this to perform a cross site request forgery attack. This issue only affected Ubuntu 14.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-12922)
It was discovered that phpMyAdmin failed to properly sanitize input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted username. This issue only affected Ubuntu 16.04 ESM. (CVE-2019-6798)
It was discovered that phpMyAdmin did not properly sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection or a cross-site scripting (XSS) attack. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2019-19617)
CSW Research Labs discovered that phpMyAdmin failed to properly sanitize input. An attacker could use this vulnerability to execute SQL injection attacks. This issue only affected Ubuntu 16.04 ESM. (CVE-2020-5504)
Giwan Go and Yelang Lee discovered that phpMyAdmin was vulnerable to an XSS attack in the transformation feature. If a victim were to click on a crafted link, an attacker could run malicious JavaScript on the victim's system. This issue only affected Ubuntu 20.04 ESM. (CVE-2020-26934)
Andre Sá discovered that phpMyAdmin incorrectly handled certain SQL statements in the search feature. A remote, authenticated attacker could use this to inject malicious SQL into a query. This issue only affected Ubuntu 20.04 ESM. (CVE-2020-26935)
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2014-9218",
"severity": [
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-18264",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-1000014",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-1000015",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2018-19968",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.0.10-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.0.10-1ubuntu0.1+esm4?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.0.10-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.0.6-1",
"4:4.0.8-1",
"4:4.0.9-1",
"4:4.0.10-1",
"4:4.0.10-1ubuntu0.1",
"4:4.0.10-1ubuntu0.1+esm1",
"4:4.0.10-1ubuntu0.1+esm2",
"4:4.0.10-1ubuntu0.1+esm3"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2017-1000014",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2017-1000015",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2018-19968",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-5504",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.5.4.1-2ubuntu2.1+esm6"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.5.4.1-2ubuntu2.1+esm6?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.5.4.1-2ubuntu2.1+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.4.13.1-1",
"4:4.5.0.2-2",
"4:4.5.1-1",
"4:4.5.1-2",
"4:4.5.1-3",
"4:4.5.2-1",
"4:4.5.2-2",
"4:4.5.3.1-1",
"4:4.5.4-1",
"4:4.5.4.1-2",
"4:4.5.4.1-2ubuntu1",
"4:4.5.4.1-2ubuntu2",
"4:4.5.4.1-2ubuntu2.1",
"4:4.5.4.1-2ubuntu2.1+esm2",
"4:4.5.4.1-2ubuntu2.1+esm3",
"4:4.5.4.1-2ubuntu2.1+esm4",
"4:4.5.4.1-2ubuntu2.1+esm5"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2018-12581",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-12922",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.6.6-5ubuntu0.5+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.6.6-5ubuntu0.5+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.6.6-5ubuntu0.5+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.6.6-5",
"4:4.6.6-5ubuntu0.2+esm1",
"4:4.6.6-5ubuntu0.2+esm2",
"4:4.6.6-5ubuntu0.5"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2020-26934",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-26935",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "phpmyadmin",
"binary_version": "4:4.9.5+dfsg1-2ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "phpmyadmin",
"purl": "pkg:deb/ubuntu/phpmyadmin@4:4.9.5+dfsg1-2ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4:4.9.5+dfsg1-2ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4:4.9.1+dfsg1-2",
"4:4.9.2+dfsg1-1",
"4:4.9.5+dfsg1-1ubuntu1",
"4:4.9.5+dfsg1-2"
]
}
],
"aliases": [],
"details": "Javier Nieto and Andres Rojas discovered that phpMyAdmin incorrectly\nmanaged input in the form of passwords. An attacker could use this\nvulnerability to cause a denial-of-service (DoS). This issue only\naffected Ubuntu 14.04 ESM. (CVE-2014-9218)\n\nEmanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize\ninput in the form of database names in the PHP Array export feature.\nAn authenticated attacker could use this vulnerability to run arbitrary\nPHP commands. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n(CVE-2016-6609)\n\nEmanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize\ninput. An attacker could use this vulnerability to execute SQL injection\nattacks. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n(CVE-2016-6619)\n\nEmanuel Bronshtein discovered that phpMyadmin failed to properly sanitize\ninput. An authenticated attacker could use this vulnerability to cause a\ndenial-of-service (DoS). This issue only affected Ubuntu 14.04 ESM and\nUbuntu 16.04 ESM. (CVE-2016-6630)\n\nEmanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize\ninput. An attacker could use this vulnerability to bypass AllowRoot\nrestrictions and deny rules for usernames. This issue only affected Ubuntu\n14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-9849)\n\nEmanuel Bronshtein discovered that phpMyAdmin would allow sensitive\ninformation to be leaked when the argument separator in a URL was\nnot the default \u0026 value. An attacker could use this vulnerability to\nobtain the CSRF token of a user. This issue only affected Ubuntu\n14.04 ESM and Ubuntu 16.04 ESM. (CVE-2016-9866)\n\nIsaac Bennetch discovered that phpMyAdmin was incorrectly restricting\nuser access due to the behavior of the substr function on some PHP\nversions. An attacker could use this vulnerability to bypass login\nrestrictions established for users that have no password set. This\nissue only affected Ubuntu 14.04 ESM. This issue only affected Ubuntu\n14.04 ESM and Ubuntu 16.04 ESM. (CVE-2017-18264)\n\nEmanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize\ninput in the form of parameters sent during a table editing operation. An\nattacker could use this vulnerability to trigger an endless recursion\nand cause a denial-of-service (DoS). This issue only affected Ubuntu 14.04\nESM and Ubuntu 16.04 ESM. (CVE-2017-1000014)\n\nEmanuel Bronshtein discovered that phpMyAdmin failed to properly sanitize\ninput used to generate a web page. An authenticated attacker could use this\nvulnerability to execute CSS injection attacks. This issue only affected\nUbuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2017-1000015)\n\nIt was discovered that phpMyAdmin incorrectly handled certain input. An\nattacker could use this vulnerability to execute a cross-site scripting (XSS)\nattack via a crafted URL. This issue only affected Ubuntu 16.04 ESM.\n(CVE-2018-7260)\n\nIt was discovered phpMyAdmin incorrectly handled database names. An\nattacker could possibly use this to trigger a cross-site scripting\nattack. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.\n(CVE-2018-12581)\n\nDaniel Le Gall discovered that phpMyAdmin would expose sensitive\ninformation to unauthorized actors due to an error in its transformation\nfeature. An authenticated attacker could use this vulnerability to leak\nthe contents of a local file. This issue only affected Ubuntu 14.04 ESM\nand Ubuntu 16.04 ESM. (CVE-2018-19968)\n\nIt was discovered that phpMyAdmin incorrectly handled user input. An\nattacker could possibly use this to perform a cross-site scripting attack.\nThis issue only affected Ubuntu 16.04 ESM. (CVE-2018-19970)\n\nIt was discovered that phpMyAdmin failed to properly sanitize input. An\nattacker could use this vulnerability to execute an SQL injection attack\nvia a specially crafted database name. This issue only affected Ubuntu\n16.04 ESM. (CVE-2019-11768)\n\nIt was discovered that phpMyAdmin incorrectly handled some requests. An\nattacker could possibly use this to perform a cross site request forgery\nattack. This issue only affected Ubuntu 16.04 ESM. (CVE-2019-12616)\n\nIt was discovered that phpMyAdmin incorrectly handled some requests. An\nattacker could possibly use this to perform a cross site request forgery\nattack. This issue only affected Ubuntu 14.04 ESM and Ubuntu 18.04 ESM.\n(CVE-2019-12922)\n\nIt was discovered that phpMyAdmin failed to properly sanitize input. An\nattacker could use this vulnerability to execute an SQL injection attack\nvia a specially crafted username. This issue only affected Ubuntu 16.04 ESM.\n(CVE-2019-6798)\n\nIt was discovered that phpMyAdmin did not properly sanitize certain input.\nAn attacker could use this vulnerability to possibly execute an HTML injection\nor a cross-site scripting (XSS) attack. This issue only affected Ubuntu 14.04\nESM and Ubuntu 16.04 ESM. (CVE-2019-19617)\n\nCSW Research Labs discovered that phpMyAdmin failed to properly sanitize\ninput. An attacker could use this vulnerability to execute SQL injection\nattacks. This issue only affected Ubuntu 16.04 ESM. (CVE-2020-5504)\n\nGiwan Go and Yelang Lee discovered that phpMyAdmin was vulnerable to an\nXSS attack in the transformation feature. If a victim were to click on a\ncrafted link, an attacker could run malicious JavaScript on the victim\u0027s\nsystem. This issue only affected Ubuntu 20.04 ESM. (CVE-2020-26934)\n\nAndre S\u00e1 discovered that phpMyAdmin incorrectly handled certain SQL\nstatements in the search feature. A remote, authenticated attacker could\nuse this to inject malicious SQL into a query. This issue only affected\nUbuntu 20.04 ESM. (CVE-2020-26935)\n",
"id": "USN-4843-1",
"modified": "2026-06-29T10:52:49Z",
"published": "2021-03-16T14:27:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4843-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2014-9218"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-6609"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-6619"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-6630"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-9849"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-9866"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-18264"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-1000014"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2017-1000015"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-7260"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-12581"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-19968"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2018-19970"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-6798"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-11768"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-12616"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-12922"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-19617"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-5504"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-26934"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-26935"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "phpmyadmin vulnerabilities",
"upstream": [
"UBUNTU-CVE-2014-9218",
"UBUNTU-CVE-2016-6609",
"UBUNTU-CVE-2016-6619",
"UBUNTU-CVE-2016-6630",
"UBUNTU-CVE-2016-9849",
"UBUNTU-CVE-2016-9866",
"UBUNTU-CVE-2017-18264",
"UBUNTU-CVE-2017-1000014",
"UBUNTU-CVE-2017-1000015",
"UBUNTU-CVE-2018-7260",
"UBUNTU-CVE-2018-12581",
"UBUNTU-CVE-2018-19968",
"UBUNTU-CVE-2018-19970",
"UBUNTU-CVE-2019-6798",
"UBUNTU-CVE-2019-11768",
"UBUNTU-CVE-2019-12616",
"UBUNTU-CVE-2019-12922",
"UBUNTU-CVE-2019-19617",
"UBUNTU-CVE-2020-5504",
"UBUNTU-CVE-2020-26934",
"UBUNTU-CVE-2020-26935"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.