6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.973 High
EPSS
Percentile
99.9%
Announcement-ID: PMASA-2018-4
Date: 2018-06-19
Updated: 2018-06-21
File inclusion and remote code execution attack
A flaw has been discovered where an attacker can include (view and potentially execute) files on the server.
The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages.
An attacker must be authenticated, except in these situations:
We consider this to be severe.
Configuring PHP with a restrictive open_basedir
can greatly restrict an attackerβs ability to view files on the server. Vulnerable systems should not be run with the phpMyAdmin directives $cfg[βAllowArbitraryServerβ] = true or $cfg[βServerDefaultβ] = 0
phpMyAdmin 4.8.0 and 4.8.1 are affected.
Upgrade to phpMyAdmin 4.8.2 or newer or apply patch listed below.
Henry Huang, an independent security researcher, has reported this vulnerability to Beyond Securityβs SecuriTeam Secure Disclosure program.
Assigned CVE ids: CVE-2018-12613
CWE ids: CWE-661
The following commits have been made on the 4.8 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.
CPE | Name | Operator | Version |
---|---|---|---|
phpmyadmin | le | 4.8.0 | |
phpmyadmin | le | 4.8.1 |
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.973 High
EPSS
Percentile
99.9%