Multiple vulnerabilities in phpMyAdmin
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2015-3903 CVE-2015-3902 |
| CWE-ID | CWE-310 CWE-352 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
phpMyAdmin Web applications / Remote management & hosting panels |
| Vendor | phpMyAdmin |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cryptographic issues
EUVDB-ID: #VU40761
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-3903
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
MitigationInstall update from vendor's website.
Vulnerable software versionsphpMyAdmin: 4.0.0 - 4.4.6
CPE2.3- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
http://cxsecurity.com/issue/WLB-2015050095
http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html
http://packetstormsecurity.com/files/131954/phpMyAdmin-4.4.6-Man-In-The-Middle.html
http://www.debian.org/security/2015/dsa-3382
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php
http://www.securityfocus.com/archive/1/535547/100/0/threaded
http://www.securityfocus.com/bid/74660
http://www.securitytracker.com/id/1032403
http://github.com/phpmyadmin/phpmyadmin/commit/5ebc4daf131dd3bd646326267f3e765d0249bbb4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site request forgery
EUVDB-ID: #VU40762
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2015-3902
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsphpMyAdmin: 4.0.0 - 4.4.6
CPE2.3- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html
http://www.debian.org/security/2015/dsa-3382
http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php
http://www.securityfocus.com/bid/74657
http://www.securitytracker.com/id/1032404
http://github.com/phpmyadmin/phpmyadmin/commit/ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
