Skip to content

phpMyAdmin vulnerable to static code injection

High severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Jan 15, 2024

Package

composer phpmyadmin/phpmyadmin (Composer)

Affected versions

>= 3.0, < 3.3.10.2
>= 3.4, < 3.4.3.1

Patched versions

3.3.10.2
3.4.3.1

Description

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

References

Published by the National Vulnerability Database Jul 14, 2011
Published to the GitHub Advisory Database May 14, 2022
Reviewed Jan 15, 2024
Last updated Jan 15, 2024

Severity

High

EPSS score

19.870%
(97th percentile)

Weaknesses

CVE ID

CVE-2011-2506

GHSA ID

GHSA-p6h7-29r2-g88f

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.