phpMyAdmin 4.9.0CSRF Vulnerability

Summary

An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim’s phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

Credit:

The information has been provided by Mauro Tempesta

The original article can be found at:   https://www.phpmyadmin.net/security/


Details

Phpmyadmin is prone to a cross site request forgery (CSRF) vulnerability. This allows a remote attacker to  forces an authenticated  user to execute unwanted actions on a web application in which they’re currently logged in.

 

Vulnerable Systems:

  • Phpmyadmin 0.9.0
  • Phpmyadmin 1.0.0
  • Phpmyadmin 1.0.1
  • Phpmyadmin 1.0.2
  • Phpmyadmin 1.0.3
  • Phpmyadmin 1.0.4
  • Phpmyadmin 1.0.5
  • Phpmyadmin 1.0.6
  • Phpmyadmin 1.0.6
  • Phpmyadmin 1.0.7
  • Phpmyadmin 1.0.8
  • Phpmyadmin 1.1
  • Phpmyadmin 1.1.0
  • Phpmyadmin 1.2
  • Phpmyadmin 1.2.0
  • Phpmyadmin 1.2.1
  • Phpmyadmin 1.2.2
  • Phpmyadmin 1.2.3
  • Phpmyadmin 1.2.4
  • Phpmyadmin 1.2.5
  • Phpmyadmin 1.2.6
  • Phpmyadmin 1.2.7
  • Phpmyadmin 1.2.8
  • Phpmyadmin 1.2.9
  • Phpmyadmin 1.2.9.1
  • Phpmyadmin 1.2.9.2
  • Phpmyadmin 1.2.9.3
  • Phpmyadmin 1.2.9.4
  • Phpmyadmin 1.2.9.4
  • Phpmyadmin 1.2.9.5
  • Phpmyadmin 1.3
  • Phpmyadmin 1.3
  • Phpmyadmin 1.3.0
  • Phpmyadmin 1.3.1
  • Phpmyadmin 2.0.5
  • Phpmyadmin 2.1.0
  • Phpmyadmin 2.2.0
  • Phpmyadmin 2.3.0
  • Phpmyadmin 2.4.0
  • Phpmyadmin 2.5.0
  • Phpmyadmin 2.6.0
  • Phpmyadmin 2.7.0
  • Phpmyadmin 2.8.0
  • Phpmyadmin 2.9.0
  • Phpmyadmin 2.9.0
  • Phpmyadmin 2.9.0
  • Phpmyadmin 2.9.0.1
  • Phpmyadmin 2.9.0.2
  • Phpmyadmin 2.9.0.3
  • Phpmyadmin 2.9.1

    CVE Information:
    CVE-2019-12616

    Disclosure Timeline:
    Publish Date:06/05/2019

    Categories: News