Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-23807 (GCVE-0-2022-23807)
Vulnerability from cvelistv5
Published
2022-01-22 00:00
Modified
2024-08-03 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"name": "GLSA-202311-17",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-26T12:06:11.924887",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"name": "GLSA-202311-17",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202311-17"
}
],
"source": {
"discovery": "INTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23807",
"datePublished": "2022-01-22T00:00:00",
"dateReserved": "2022-01-21T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23807\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-01-22T02:15:07.150\",\"lastModified\":\"2024-11-21T06:49:17.580\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en phpMyAdmin versiones 4.9 anteriores a 4.9.8 y 5.1 anteriores a 5.1.2. Un usuario v\u00e1lido que ya est\u00e1 autenticado en phpMyAdmin puede manipular su cuenta para omitir la autenticaci\u00f3n de dos factores en futuras instancias de inicio de sesi\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.9.0\",\"versionEndExcluding\":\"4.9.8\",\"matchCriteriaId\":\"5CC886AA-A01D-413D-9F3A-CF2435D94779\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1.0\",\"versionEndExcluding\":\"5.1.2\",\"matchCriteriaId\":\"45AFD905-B58E-42E9-9682-3CB2E644DCFF\"}]}]}],\"references\":[{\"url\":\"https://security.gentoo.org/glsa/202311-17\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.phpmyadmin.net/security/PMASA-2022-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.phpmyadmin.net/security/PMASA-2022-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
opensuse-su-2023:0047-1
Vulnerability from csaf_opensuse
Published
2023-02-15 10:21
Modified
2023-02-15 10:21
Summary
Security update for phpMyAdmin
Notes
Title of the patch
Security update for phpMyAdmin
Description of the patch
This update for phpMyAdmin fixes the following issues:
phpMyAdmin was updated to 5.2.1
This is a security and bufix release.
* Security:
- Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727)
Fix an XSS attack through the drag-and-drop upload feature.
* Bugfixes:
- issue #17522 Fix case where the routes cache file is invalid
- issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick
- issue Fix blank page when some error occurs
- issue #17519 Fix Export pages not working in certain conditions
- issue #17496 Fix error in table operation page when partitions are broken
- issue #17386 Fix system memory and system swap values on Windows
- issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive
- issue #17271 Fix database names not showing on Processes tab
- issue #17424 Fix export limit size calculation
- issue #17366 Fix refresh rate popup on Monitor page
- issue #17577 Fix monitor charts size on RTL languages
- issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing
- issue #17586 Fix statistics not showing for empty databases
- issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore
- issue #17584 It's now possible to browse a database that includes two % in its name
- issue Fix PHP 8.2 deprecated string interpolation syntax
- issue Some languages are now correctly detected from the HTTP header
- issue #17617 Sorting is correctly remembered when $cfg['RememberSorting'] is true
- issue #17593 Table filtering now works when action buttons are on the right side of the row
- issue #17388 Find and Replace using regex now makes a valid query if no matching result set found
- issue #17551 Enum/Set editor will not fail to open when creating a new column
- issue #17659 Fix error when a database group is named tables, views, functions, procedures or events
- issue #17673 Allow empty values to be inserted into columns
- issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console
- issue Fixed debug queries console broken UI for query time and group count
- issue Fixed escaping of SQL query and errors for the debug console
- issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled
- issue #17543 Fix JS error on saving a new designer page
- issue #17546 Fix JS error after using save as and open page operation on the designer
- issue Fix PHP warning on GIS visualization when there is only one GIS column
- issue #17728 Some select HTML tags will now have the correct UI style
- issue #17734 PHP deprecations will only be shown when in a development environment
- issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long
- issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page
- issue #16418 Fix FAQ 1.44 about manually removing vendor folders
- issue #12359 Setup page now sends the Content-Security-Policy headers
- issue #17747 The Column Visibility Toggle will not be hidden by other elements
- issue #17756 Edit/Copy/Delete row now works when using GROUP BY
- issue #17248 Support the UUID data type for MariaDB >= 10.7
- issue #17656 Fix replace/change/set table prefix is not working
- issue Fix monitor page filter queries only filtering the first row
- issue Fix 'Link not found!' on foreign columns for tables having no char column to show
- issue #17390 Fix 'Create view' modal doesn't show on results and empty results
- issue #17772 Fix wrong styles for add button from central columns
- issue #17389 Fix HTML disappears when exporting settings to browser's storage
- issue #17166 Fix 'Warning: #1287 'X' is deprecated [...] Please use ST_X instead.' on search page
- issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)
- issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)
- issue #17281 Fix links to databases for information_schema.SCHEMATA
- issue #17553 Fix Metro theme unreadable links above navigation tree
- issue #17553 Metro theme UI fixes and improvements
- issue #17553 Fix Metro theme login form with
- issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox
- issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working
- issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading 'inline') on datepickers when re-opened
- issue Fix Original theme buttons style and login form width
- issue #17892 Fix closing index edit modal and reopening causes it to fire twice
- issue #17606 Fix preview SQL modal not working inside 'Add Index' modal
- issue Fix PHP error on adding new column on create table form
- issue #17482 Default to 'Full texts' when running explain statements
- issue Fixed Chrome scrolling performance issue on a textarea of an 'export as text' page
- issue #17703 Fix datepicker appears on all fields, not just date
- issue Fix space in the tree line when a DB is expanded
- issue #17340 Fix 'New Table' page -> 'VIRTUAL' attribute is lost when adding a new column
- issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL
- issue #17446 Lower the check for virtual columns to MySQL>=5.7.6 nothing is supported on 5.7.5
- issue Fix column names option for CSV Export
- issue #17177 Fix preview SQL when reordering columns doesn't work on move columns
- issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP
- issue #17944 Fix unable to create a view from tree view button
- issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)
- issue #17967 Fix missing icon for collapse all button
- issue #18006 Fixed UUID columns can't be moved
- issue Add `spellcheck='false'` to all password fields and some text fields to avoid spell-jacking data leaks
- issue Remove non working 'Analyze Explain at MariaDB.org' button (MariaDB stopped this service)
- issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API
- issue #18019 Fix 'Call to a member function fetchAssoc() on bool' with SQL mode ONLY_FULL_GROUP_BY on monitor search logs
- issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions
- issue #17398 Fix clicking on JSON columns triggers update query
- issue Fix silent JSON parse error on upload progress
- issue #17833 Fix 'Add Parameter' button not working for Add Routine Screen
- issue #17365 Fixed 'Uncaught Error: regexp too big' on server status variables page
Update to 5.2.0
* Bugfix
- issue #16521 Upgrade Bootstrap to version 5
- issue #16521 Drop support for Internet Explorer and others
- issue Upgrade to shapefile 3
- issue #16555 Bump minimum PHP version to 7.2
- issue Remove the phpseclib dependency
- issue Upgrade Symfony components to version 5.2
- issue Upgrade to Motranslator 4
- issue #16005 Improve the performance of the Export logic
- issue #16829 Add NOT LIKE %...% operator to Table search
- issue #16845 Fixed some links not passing through url.php
- issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)
- issue #16974 Replace zxcvbn by zxcvbn-ts
- issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check
- issue #16138 Ignore the length of integer types and show a warning on MySQL >= 8.0.18
- issue Add support for the Mroonga engine
- issue Double click column name to directly copy to clipboard
- issue #16425 Add DELETE FROM table on table operations page
- issue #16482 Add a select all link for table-specific privileges
- issue #14276 Add support for account locking
- issue #17143 Use composer/ca-bundle to manage the CA cert file
- issue #17143 Require the openssl PHP extension
- issue #17171 Remove the printview.css file from themes
- issue #17203 Redesign the export and the import pages
- issue #16197 Replace the master/slave terminology
- issue #17257 Replace libraries/vendor_config.php constants with an array
- issue Add the Bootstrap theme
- issue #17499 Remove stickyfilljs JavaScript dependency
Update to 5.1.3
This is a security and bufix release.
* Security
- Fix for boo#1197036 (CVE-2022-0813)
- Fix for path disclosure under certain server configurations
(if display_errors is on, for instance)
* Bugfix
- issue #17308 Fix broken pagination links in the navigation sidebar
- issue #17331 Fix MariaDB has no support for system variable 'disabled_storage_engines'
- issue #17315 Fix unsupported operand types in Results.php when running 'SHOW PROCESSLIST' SQL query
- issue #17288 Fixed importing browser settings question box after login when having no pmadb
- issue #17288 Fix 'First day of calendar' user override has no effect
- issue #17239 Fixed repeating headers are not working
- issue #17298 Fixed import of email-adresses or links from ODS results in empty contents
- issue #17344 Fixed a type error on ODS import with non string values
- issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row
Update to 5.1.2
This is a security and bufix release.
* Security
- Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661)
Two factor authentication bypass
- Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661)
Multiple XSS and HTML injection attacks in setup script
* Bugfixes
- Revert a changed to $cfg['CharTextareaRows'] allow values
less than 7
- Fix encoding of enum and set values on edit value
- Fixed possible 'Undefined index: clause_is_unique' error
- Fixed some situations where a user is logged out when working
with more than one server
- Fixed a problem with assigning privileges to a user using the
multiselect list when the database name has an underscore
- Enable cookie parameter 'SameSite' when the PHP version
is 7.3 or newer
- Correctly handle the removal of 'innodb_file_format' in
MariaDB and MySQL
Patchnames
openSUSE-2023-47
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for phpMyAdmin",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for phpMyAdmin fixes the following issues:\n\nphpMyAdmin was updated to 5.2.1\n\nThis is a security and bufix release.\n\n* Security:\n\n - Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727) \n Fix an XSS attack through the drag-and-drop upload feature.\n\n* Bugfixes:\n\n - issue #17522 Fix case where the routes cache file is invalid\n - issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick\n - issue Fix blank page when some error occurs\n - issue #17519 Fix Export pages not working in certain conditions\n - issue #17496 Fix error in table operation page when partitions are broken\n - issue #17386 Fix system memory and system swap values on Windows\n - issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive\n - issue #17271 Fix database names not showing on Processes tab\n - issue #17424 Fix export limit size calculation\n - issue #17366 Fix refresh rate popup on Monitor page\n - issue #17577 Fix monitor charts size on RTL languages\n - issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing\n - issue #17586 Fix statistics not showing for empty databases\n - issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore\n - issue #17584 It\u0027s now possible to browse a database that includes two % in its name\n - issue Fix PHP 8.2 deprecated string interpolation syntax\n - issue Some languages are now correctly detected from the HTTP header\n - issue #17617 Sorting is correctly remembered when $cfg[\u0027RememberSorting\u0027] is true\n - issue #17593 Table filtering now works when action buttons are on the right side of the row\n - issue #17388 Find and Replace using regex now makes a valid query if no matching result set found\n - issue #17551 Enum/Set editor will not fail to open when creating a new column\n - issue #17659 Fix error when a database group is named tables, views, functions, procedures or events\n - issue #17673 Allow empty values to be inserted into columns\n - issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console\n - issue Fixed debug queries console broken UI for query time and group count\n - issue Fixed escaping of SQL query and errors for the debug console\n - issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled\n - issue #17543 Fix JS error on saving a new designer page\n - issue #17546 Fix JS error after using save as and open page operation on the designer\n - issue Fix PHP warning on GIS visualization when there is only one GIS column\n - issue #17728 Some select HTML tags will now have the correct UI style\n - issue #17734 PHP deprecations will only be shown when in a development environment\n - issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long\n - issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page\n - issue #16418 Fix FAQ 1.44 about manually removing vendor folders\n - issue #12359 Setup page now sends the Content-Security-Policy headers\n - issue #17747 The Column Visibility Toggle will not be hidden by other elements\n - issue #17756 Edit/Copy/Delete row now works when using GROUP BY\n - issue #17248 Support the UUID data type for MariaDB \u003e= 10.7\n - issue #17656 Fix replace/change/set table prefix is not working\n - issue Fix monitor page filter queries only filtering the first row\n - issue Fix \u0027Link not found!\u0027 on foreign columns for tables having no char column to show\n - issue #17390 Fix \u0027Create view\u0027 modal doesn\u0027t show on results and empty results\n - issue #17772 Fix wrong styles for add button from central columns\n - issue #17389 Fix HTML disappears when exporting settings to browser\u0027s storage\n - issue #17166 Fix \u0027Warning: #1287 \u0027X\u0027 is deprecated [...] Please use ST_X instead.\u0027 on search page\n - issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)\n - issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)\n - issue #17281 Fix links to databases for information_schema.SCHEMATA\n - issue #17553 Fix Metro theme unreadable links above navigation tree\n - issue #17553 Metro theme UI fixes and improvements\n - issue #17553 Fix Metro theme login form with\n - issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox\n - issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working\n - issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading \u0027inline\u0027) on datepickers when re-opened\n - issue Fix Original theme buttons style and login form width\n - issue #17892 Fix closing index edit modal and reopening causes it to fire twice\n - issue #17606 Fix preview SQL modal not working inside \u0027Add Index\u0027 modal\n - issue Fix PHP error on adding new column on create table form\n - issue #17482 Default to \u0027Full texts\u0027 when running explain statements\n - issue Fixed Chrome scrolling performance issue on a textarea of an \u0027export as text\u0027 page\n - issue #17703 Fix datepicker appears on all fields, not just date\n - issue Fix space in the tree line when a DB is expanded\n - issue #17340 Fix \u0027New Table\u0027 page -\u003e \u0027VIRTUAL\u0027 attribute is lost when adding a new column\n - issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL\n - issue #17446 Lower the check for virtual columns to MySQL\u003e=5.7.6 nothing is supported on 5.7.5\n - issue Fix column names option for CSV Export\n - issue #17177 Fix preview SQL when reordering columns doesn\u0027t work on move columns\n - issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP\n - issue #17944 Fix unable to create a view from tree view button\n - issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)\n - issue #17967 Fix missing icon for collapse all button\n - issue #18006 Fixed UUID columns can\u0027t be moved\n - issue Add `spellcheck=\u0027false\u0027` to all password fields and some text fields to avoid spell-jacking data leaks\n - issue Remove non working \u0027Analyze Explain at MariaDB.org\u0027 button (MariaDB stopped this service)\n - issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API\n - issue #18019 Fix \u0027Call to a member function fetchAssoc() on bool\u0027 with SQL mode ONLY_FULL_GROUP_BY on monitor search logs\n - issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions\n - issue #17398 Fix clicking on JSON columns triggers update query\n - issue Fix silent JSON parse error on upload progress\n - issue #17833 Fix \u0027Add Parameter\u0027 button not working for Add Routine Screen\n - issue #17365 Fixed \u0027Uncaught Error: regexp too big\u0027 on server status variables page\n\nUpdate to 5.2.0\n\n* Bugfix\n\n - issue #16521 Upgrade Bootstrap to version 5\n - issue #16521 Drop support for Internet Explorer and others\n - issue Upgrade to shapefile 3\n - issue #16555 Bump minimum PHP version to 7.2\n - issue Remove the phpseclib dependency\n - issue Upgrade Symfony components to version 5.2\n - issue Upgrade to Motranslator 4\n - issue #16005 Improve the performance of the Export logic\n - issue #16829 Add NOT LIKE %...% operator to Table search\n - issue #16845 Fixed some links not passing through url.php\n - issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)\n - issue #16974 Replace zxcvbn by zxcvbn-ts\n - issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check\n - issue #16138 Ignore the length of integer types and show a warning on MySQL \u003e= 8.0.18\n - issue Add support for the Mroonga engine\n - issue Double click column name to directly copy to clipboard\n - issue #16425 Add DELETE FROM table on table operations page\n - issue #16482 Add a select all link for table-specific privileges\n - issue #14276 Add support for account locking\n - issue #17143 Use composer/ca-bundle to manage the CA cert file\n - issue #17143 Require the openssl PHP extension\n - issue #17171 Remove the printview.css file from themes\n - issue #17203 Redesign the export and the import pages\n - issue #16197 Replace the master/slave terminology\n - issue #17257 Replace libraries/vendor_config.php constants with an array\n - issue Add the Bootstrap theme\n - issue #17499 Remove stickyfilljs JavaScript dependency\n\nUpdate to 5.1.3\n\nThis is a security and bufix release.\n\n* Security\n\n - Fix for boo#1197036 (CVE-2022-0813)\n - Fix for path disclosure under certain server configurations\n (if display_errors is on, for instance)\n\n* Bugfix\n\n - issue #17308 Fix broken pagination links in the navigation sidebar\n - issue #17331 Fix MariaDB has no support for system variable \u0027disabled_storage_engines\u0027\n - issue #17315 Fix unsupported operand types in Results.php when running \u0027SHOW PROCESSLIST\u0027 SQL query\n - issue #17288 Fixed importing browser settings question box after login when having no pmadb\n - issue #17288 Fix \u0027First day of calendar\u0027 user override has no effect\n - issue #17239 Fixed repeating headers are not working\n - issue #17298 Fixed import of email-adresses or links from ODS results in empty contents\n - issue #17344 Fixed a type error on ODS import with non string values\n - issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row\n\nUpdate to 5.1.2\n\nThis is a security and bufix release.\n\n* Security\n\n - Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661) \n Two factor authentication bypass\n - Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661)\n Multiple XSS and HTML injection attacks in setup script\n\n* Bugfixes\n\n - Revert a changed to $cfg[\u0027CharTextareaRows\u0027] allow values\n less than 7\n - Fix encoding of enum and set values on edit value\n - Fixed possible \u0027Undefined index: clause_is_unique\u0027 error\n - Fixed some situations where a user is logged out when working\n with more than one server\n - Fixed a problem with assigning privileges to a user using the\n multiselect list when the database name has an underscore\n - Enable cookie parameter \u0027SameSite\u0027 when the PHP version\n is 7.3 or newer\n - Correctly handle the removal of \u0027innodb_file_format\u0027 in\n MariaDB and MySQL\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-47",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0047-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0047-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0047-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/"
},
{
"category": "self",
"summary": "SUSE Bug 1195017",
"url": "https://bugzilla.suse.com/1195017"
},
{
"category": "self",
"summary": "SUSE Bug 1195018",
"url": "https://bugzilla.suse.com/1195018"
},
{
"category": "self",
"summary": "SUSE Bug 1197036",
"url": "https://bugzilla.suse.com/1197036"
},
{
"category": "self",
"summary": "SUSE Bug 1208186",
"url": "https://bugzilla.suse.com/1208186"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-0813 page",
"url": "https://www.suse.com/security/cve/CVE-2022-0813/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23807 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23808 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23808/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25727/"
}
],
"title": "Security update for phpMyAdmin",
"tracking": {
"current_release_date": "2023-02-15T10:21:02Z",
"generator": {
"date": "2023-02-15T10:21:02Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0047-1",
"initial_release_date": "2023-02-15T10:21:02Z",
"revision_history": [
{
"date": "2023-02-15T10:21:02Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-0813",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-0813"
}
],
"notes": [
{
"category": "general",
"text": "PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-0813",
"url": "https://www.suse.com/security/cve/CVE-2022-0813"
},
{
"category": "external",
"summary": "SUSE Bug 1197036 for CVE-2022-0813",
"url": "https://bugzilla.suse.com/1197036"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-0813"
},
{
"cve": "CVE-2022-23807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23807"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23807",
"url": "https://www.suse.com/security/cve/CVE-2022-23807"
},
{
"category": "external",
"summary": "SUSE Bug 1195017 for CVE-2022-23807",
"url": "https://bugzilla.suse.com/1195017"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23808"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23808",
"url": "https://www.suse.com/security/cve/CVE-2022-23808"
},
{
"category": "external",
"summary": "SUSE Bug 1195018 for CVE-2022-23808",
"url": "https://bugzilla.suse.com/1195018"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-23808"
},
{
"cve": "CVE-2023-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25727"
}
],
"notes": [
{
"category": "general",
"text": "In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25727",
"url": "https://www.suse.com/security/cve/CVE-2023-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1208186 for CVE-2023-25727",
"url": "https://bugzilla.suse.com/1208186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2023-25727"
}
]
}
opensuse-su-2023:0154-1
Vulnerability from csaf_opensuse
Published
2023-06-27 17:51
Modified
2023-06-27 17:51
Summary
Security update for phpMyAdmin
Notes
Title of the patch
Security update for phpMyAdmin
Description of the patch
This update for phpMyAdmin fixes the following issues:
Update to 4.9.11:
- CVE-2023-25727: Fixed XSS vulnerability in drag-and-drop upload (boo#1208186).
Patchnames
openSUSE-2023-154
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for phpMyAdmin",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for phpMyAdmin fixes the following issues:\n\nUpdate to 4.9.11:\n\n- CVE-2023-25727: Fixed XSS vulnerability in drag-and-drop upload (boo#1208186).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-154",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0154-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0154-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SIBPCIY36W2XLHJWQUOTE37ZJ4IX6SLB/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0154-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SIBPCIY36W2XLHJWQUOTE37ZJ4IX6SLB/"
},
{
"category": "self",
"summary": "SUSE Bug 1092345",
"url": "https://bugzilla.suse.com/1092345"
},
{
"category": "self",
"summary": "SUSE Bug 1170743",
"url": "https://bugzilla.suse.com/1170743"
},
{
"category": "self",
"summary": "SUSE Bug 1195017",
"url": "https://bugzilla.suse.com/1195017"
},
{
"category": "self",
"summary": "SUSE Bug 1208186",
"url": "https://bugzilla.suse.com/1208186"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23807 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25727/"
}
],
"title": "Security update for phpMyAdmin",
"tracking": {
"current_release_date": "2023-06-27T17:51:34Z",
"generator": {
"date": "2023-06-27T17:51:34Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0154-1",
"initial_release_date": "2023-06-27T17:51:34Z",
"revision_history": [
{
"date": "2023-06-27T17:51:34Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"product": {
"name": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"product_id": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP3",
"product": {
"name": "SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
},
"product_reference": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
},
"product_reference": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
},
"product_reference": "phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23807"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23807",
"url": "https://www.suse.com/security/cve/CVE-2022-23807"
},
{
"category": "external",
"summary": "SUSE Bug 1195017 for CVE-2022-23807",
"url": "https://bugzilla.suse.com/1195017"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-27T17:51:34Z",
"details": "moderate"
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2023-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25727"
}
],
"notes": [
{
"category": "general",
"text": "In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25727",
"url": "https://www.suse.com/security/cve/CVE-2023-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1208186 for CVE-2023-25727",
"url": "https://bugzilla.suse.com/1208186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"SUSE Package Hub 15 SP3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch",
"openSUSE Leap 15.3:phpMyAdmin-4.9.11-bp153.2.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-27T17:51:34Z",
"details": "moderate"
}
],
"title": "CVE-2023-25727"
}
]
}
opensuse-su-2024:11765-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
phpMyAdmin-5.1.2-1.1 on GA media
Notes
Title of the patch
phpMyAdmin-5.1.2-1.1 on GA media
Description of the patch
These are all security issues fixed in the phpMyAdmin-5.1.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11765
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "phpMyAdmin-5.1.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the phpMyAdmin-5.1.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11765",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11765-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23807 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23808 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23808/"
}
],
"title": "phpMyAdmin-5.1.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11765-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.aarch64",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.aarch64",
"product_id": "phpMyAdmin-5.1.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.aarch64",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.aarch64",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.aarch64",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.aarch64",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.ppc64le",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.ppc64le",
"product_id": "phpMyAdmin-5.1.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.s390x",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.s390x",
"product_id": "phpMyAdmin-5.1.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.s390x",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.s390x",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.s390x",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.s390x",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.x86_64",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.x86_64",
"product_id": "phpMyAdmin-5.1.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.x86_64",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.x86_64",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.x86_64",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.x86_64",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23807"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23807",
"url": "https://www.suse.com/security/cve/CVE-2022-23807"
},
{
"category": "external",
"summary": "SUSE Bug 1195017 for CVE-2022-23807",
"url": "https://bugzilla.suse.com/1195017"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23808"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23808",
"url": "https://www.suse.com/security/cve/CVE-2022-23808"
},
{
"category": "external",
"summary": "SUSE Bug 1195018 for CVE-2022-23808",
"url": "https://bugzilla.suse.com/1195018"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23808"
}
]
}
fkie_cve-2022-23807
Vulnerability from fkie_nvd
Published
2022-01-22 02:15
Modified
2024-11-21 06:49
Severity ?
Summary
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gentoo.org/glsa/202311-17 | ||
| cve@mitre.org | https://www.phpmyadmin.net/security/PMASA-2022-1/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202311-17 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.phpmyadmin.net/security/PMASA-2022-1/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phpmyadmin | phpmyadmin | * | |
| phpmyadmin | phpmyadmin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CC886AA-A01D-413D-9F3A-CF2435D94779",
"versionEndExcluding": "4.9.8",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45AFD905-B58E-42E9-9682-3CB2E644DCFF",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances."
},
{
"lang": "es",
"value": "Se ha detectado un problema en phpMyAdmin versiones 4.9 anteriores a 4.9.8 y 5.1 anteriores a 5.1.2. Un usuario v\u00e1lido que ya est\u00e1 autenticado en phpMyAdmin puede manipular su cuenta para omitir la autenticaci\u00f3n de dos factores en futuras instancias de inicio de sesi\u00f3n"
}
],
"id": "CVE-2022-23807",
"lastModified": "2024-11-21T06:49:17.580",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-22T02:15:07.150",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
wid-sec-w-2022-0247
Vulnerability from csaf_certbund
Published
2022-01-23 23:00
Modified
2023-11-26 23:00
Summary
phpMyAdmin: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
phpMyAdmin ist eine in PHP geschriebene Web-Oberfläche zur Administration von MySQL Datenbanken.
Angriff
Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in phpMyAdmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Cross Site Scripting Angriff durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "phpMyAdmin ist eine in PHP geschriebene Web-Oberfl\u00e4che zur Administration von MySQL Datenbanken.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in phpMyAdmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Cross Site Scripting Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0247 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0247.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0247 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0247"
},
{
"category": "external",
"summary": "Gentoo Linux Security Advisory GLSA-202311-17 vom 2023-11-26",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"category": "external",
"summary": "phpMyAdmin Security Announcement vom 2022-01-23",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"category": "external",
"summary": "phpMyAdmin Security Announcement vom 2022-01-23",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"category": "external",
"summary": "PoC CVE-2022-23808 vom 2022-06-09",
"url": "https://github.com/Trhackno/CVE-2022-23808"
}
],
"source_lang": "en-US",
"title": "phpMyAdmin: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-11-26T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:27:37.685+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-0247",
"initial_release_date": "2022-01-23T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-01-23T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-01-24T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: FEDORA-2022-914FA8641A, FEDORA-2022-3544C7D20E"
},
{
"date": "2022-06-09T22:00:00.000+00:00",
"number": "3",
"summary": "PoC f\u00fcr CVE-2022-23808 aufgenommen"
},
{
"date": "2023-11-26T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Gentoo aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Gentoo Linux",
"product": {
"name": "Gentoo Linux",
"product_id": "T012167",
"product_identification_helper": {
"cpe": "cpe:/o:gentoo:linux:-"
}
}
}
],
"category": "vendor",
"name": "Gentoo"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source phpMyAdmin \u003c 5.1.2",
"product": {
"name": "Open Source phpMyAdmin \u003c 5.1.2",
"product_id": "T021796",
"product_identification_helper": {
"cpe": "cpe:/a:phpmyadmin:phpmyadmin:5.1.2"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23807",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in phpMyAdmin. Ein berechtigter Nutzer kann durch eine Reihe von Aktionen die Zwei-Faktor-Authentifizierung f\u00fcr dieses Konto deaktivieren. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T012167"
]
},
"release_date": "2022-01-23T23:00:00.000+00:00",
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"notes": [
{
"category": "description",
"text": "In phpMyAdmin existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T012167"
]
},
"release_date": "2022-01-23T23:00:00.000+00:00",
"title": "CVE-2022-23808"
}
]
}
ghsa-8wf2-3ggj-78q9
Vulnerability from github
Published
2022-01-28 22:44
Modified
2024-04-22 19:09
Severity ?
VLAI Severity ?
Summary
Improper Authentication in phpmyadmin
Details
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyadmin/phpmyadmin"
},
"ranges": [
{
"events": [
{
"introduced": "4.9.0"
},
{
"fixed": "4.9.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyadmin/phpmyadmin"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23807"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-28T22:31:16Z",
"nvd_published_at": "2022-01-22T02:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"id": "GHSA-8wf2-3ggj-78q9",
"modified": "2024-04-22T19:09:46Z",
"published": "2022-01-28T22:44:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23807"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32"
},
{
"type": "PACKAGE",
"url": "https://github.com/phpmyadmin/phpmyadmin"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"type": "WEB",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Authentication in phpmyadmin"
}
gsd-2022-23807
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-23807",
"description": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"id": "GSD-2022-23807",
"references": [
"https://www.suse.com/security/cve/CVE-2022-23807.html",
"https://advisories.mageia.org/CVE-2022-23807.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-23807"
],
"details": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"id": "GSD-2022-23807",
"modified": "2023-12-13T01:19:35.470761Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phpmyadmin.net/security/PMASA-2022-1/",
"refsource": "MISC",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"name": "GLSA-202311-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202311-17"
}
]
},
"source": {
"discovery": "INTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=4.9.0,\u003c4.9.8||\u003e=5.1.0,\u003c5.1.2",
"affected_versions": "All versions starting from 4.9.0 before 4.9.8, all versions starting from 5.1.0 before 5.1.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2022-01-27",
"description": "An issue was discovered in phpMyAdm. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"fixed_versions": [
"5.0.0"
],
"identifier": "CVE-2022-23807",
"identifiers": [
"CVE-2022-23807"
],
"not_impacted": "All versions before 4.9.0, all versions starting from 4.9.8 before 5.1.0, all versions starting from 5.1.2",
"package_slug": "packagist/phpmyadmin/phpmyadmin",
"pubdate": "2022-01-22",
"solution": "Upgrade to version 5.0.0 or above.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-23807",
"https://www.phpmyadmin.net/security/PMASA-2022-1/"
],
"uuid": "7c859ea2-8977-48cb-9ae8-0a516cd3b4d4"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.9.8",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23807"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phpmyadmin.net/security/PMASA-2022-1/",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"name": "GLSA-202311-17",
"refsource": "",
"tags": [],
"url": "https://security.gentoo.org/glsa/202311-17"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2023-11-26T12:15Z",
"publishedDate": "2022-01-22T02:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…