CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
66.4%
A phpMyAdmin security announcement report:
phpMyAdmin used the $_REQUEST superglobal as a source for
its parameters, instead of $_GET and $_POST. This means that
on most servers, a cookie with the same name as one of
phpMyAdmin’s parameters can interfere.
Another application could set a cookie for the root path
“/” with a “sql_query” name, therefore overriding the
user-submitted sql_query because by default, the $_REQUEST
superglobal imports first GET, then POST then COOKIE data.
Mitigation factor
An attacker must trick the victim into visiting a page on
the same web server where he has placed code that creates
a malicious cookie.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | phpmyadmin | < 2.11.5 | UNKNOWN |