opensuse-su-2023:0047-1
Vulnerability from csaf_opensuse
Published
2023-02-15 10:21
Modified
2023-02-15 10:21
Summary
Security update for phpMyAdmin
Notes
Title of the patch
Security update for phpMyAdmin
Description of the patch
This update for phpMyAdmin fixes the following issues:
phpMyAdmin was updated to 5.2.1
This is a security and bufix release.
* Security:
- Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727)
Fix an XSS attack through the drag-and-drop upload feature.
* Bugfixes:
- issue #17522 Fix case where the routes cache file is invalid
- issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick
- issue Fix blank page when some error occurs
- issue #17519 Fix Export pages not working in certain conditions
- issue #17496 Fix error in table operation page when partitions are broken
- issue #17386 Fix system memory and system swap values on Windows
- issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive
- issue #17271 Fix database names not showing on Processes tab
- issue #17424 Fix export limit size calculation
- issue #17366 Fix refresh rate popup on Monitor page
- issue #17577 Fix monitor charts size on RTL languages
- issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing
- issue #17586 Fix statistics not showing for empty databases
- issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore
- issue #17584 It's now possible to browse a database that includes two % in its name
- issue Fix PHP 8.2 deprecated string interpolation syntax
- issue Some languages are now correctly detected from the HTTP header
- issue #17617 Sorting is correctly remembered when $cfg['RememberSorting'] is true
- issue #17593 Table filtering now works when action buttons are on the right side of the row
- issue #17388 Find and Replace using regex now makes a valid query if no matching result set found
- issue #17551 Enum/Set editor will not fail to open when creating a new column
- issue #17659 Fix error when a database group is named tables, views, functions, procedures or events
- issue #17673 Allow empty values to be inserted into columns
- issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console
- issue Fixed debug queries console broken UI for query time and group count
- issue Fixed escaping of SQL query and errors for the debug console
- issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled
- issue #17543 Fix JS error on saving a new designer page
- issue #17546 Fix JS error after using save as and open page operation on the designer
- issue Fix PHP warning on GIS visualization when there is only one GIS column
- issue #17728 Some select HTML tags will now have the correct UI style
- issue #17734 PHP deprecations will only be shown when in a development environment
- issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long
- issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page
- issue #16418 Fix FAQ 1.44 about manually removing vendor folders
- issue #12359 Setup page now sends the Content-Security-Policy headers
- issue #17747 The Column Visibility Toggle will not be hidden by other elements
- issue #17756 Edit/Copy/Delete row now works when using GROUP BY
- issue #17248 Support the UUID data type for MariaDB >= 10.7
- issue #17656 Fix replace/change/set table prefix is not working
- issue Fix monitor page filter queries only filtering the first row
- issue Fix 'Link not found!' on foreign columns for tables having no char column to show
- issue #17390 Fix 'Create view' modal doesn't show on results and empty results
- issue #17772 Fix wrong styles for add button from central columns
- issue #17389 Fix HTML disappears when exporting settings to browser's storage
- issue #17166 Fix 'Warning: #1287 'X' is deprecated [...] Please use ST_X instead.' on search page
- issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)
- issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)
- issue #17281 Fix links to databases for information_schema.SCHEMATA
- issue #17553 Fix Metro theme unreadable links above navigation tree
- issue #17553 Metro theme UI fixes and improvements
- issue #17553 Fix Metro theme login form with
- issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox
- issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working
- issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading 'inline') on datepickers when re-opened
- issue Fix Original theme buttons style and login form width
- issue #17892 Fix closing index edit modal and reopening causes it to fire twice
- issue #17606 Fix preview SQL modal not working inside 'Add Index' modal
- issue Fix PHP error on adding new column on create table form
- issue #17482 Default to 'Full texts' when running explain statements
- issue Fixed Chrome scrolling performance issue on a textarea of an 'export as text' page
- issue #17703 Fix datepicker appears on all fields, not just date
- issue Fix space in the tree line when a DB is expanded
- issue #17340 Fix 'New Table' page -> 'VIRTUAL' attribute is lost when adding a new column
- issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL
- issue #17446 Lower the check for virtual columns to MySQL>=5.7.6 nothing is supported on 5.7.5
- issue Fix column names option for CSV Export
- issue #17177 Fix preview SQL when reordering columns doesn't work on move columns
- issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP
- issue #17944 Fix unable to create a view from tree view button
- issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)
- issue #17967 Fix missing icon for collapse all button
- issue #18006 Fixed UUID columns can't be moved
- issue Add `spellcheck='false'` to all password fields and some text fields to avoid spell-jacking data leaks
- issue Remove non working 'Analyze Explain at MariaDB.org' button (MariaDB stopped this service)
- issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API
- issue #18019 Fix 'Call to a member function fetchAssoc() on bool' with SQL mode ONLY_FULL_GROUP_BY on monitor search logs
- issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions
- issue #17398 Fix clicking on JSON columns triggers update query
- issue Fix silent JSON parse error on upload progress
- issue #17833 Fix 'Add Parameter' button not working for Add Routine Screen
- issue #17365 Fixed 'Uncaught Error: regexp too big' on server status variables page
Update to 5.2.0
* Bugfix
- issue #16521 Upgrade Bootstrap to version 5
- issue #16521 Drop support for Internet Explorer and others
- issue Upgrade to shapefile 3
- issue #16555 Bump minimum PHP version to 7.2
- issue Remove the phpseclib dependency
- issue Upgrade Symfony components to version 5.2
- issue Upgrade to Motranslator 4
- issue #16005 Improve the performance of the Export logic
- issue #16829 Add NOT LIKE %...% operator to Table search
- issue #16845 Fixed some links not passing through url.php
- issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)
- issue #16974 Replace zxcvbn by zxcvbn-ts
- issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check
- issue #16138 Ignore the length of integer types and show a warning on MySQL >= 8.0.18
- issue Add support for the Mroonga engine
- issue Double click column name to directly copy to clipboard
- issue #16425 Add DELETE FROM table on table operations page
- issue #16482 Add a select all link for table-specific privileges
- issue #14276 Add support for account locking
- issue #17143 Use composer/ca-bundle to manage the CA cert file
- issue #17143 Require the openssl PHP extension
- issue #17171 Remove the printview.css file from themes
- issue #17203 Redesign the export and the import pages
- issue #16197 Replace the master/slave terminology
- issue #17257 Replace libraries/vendor_config.php constants with an array
- issue Add the Bootstrap theme
- issue #17499 Remove stickyfilljs JavaScript dependency
Update to 5.1.3
This is a security and bufix release.
* Security
- Fix for boo#1197036 (CVE-2022-0813)
- Fix for path disclosure under certain server configurations
(if display_errors is on, for instance)
* Bugfix
- issue #17308 Fix broken pagination links in the navigation sidebar
- issue #17331 Fix MariaDB has no support for system variable 'disabled_storage_engines'
- issue #17315 Fix unsupported operand types in Results.php when running 'SHOW PROCESSLIST' SQL query
- issue #17288 Fixed importing browser settings question box after login when having no pmadb
- issue #17288 Fix 'First day of calendar' user override has no effect
- issue #17239 Fixed repeating headers are not working
- issue #17298 Fixed import of email-adresses or links from ODS results in empty contents
- issue #17344 Fixed a type error on ODS import with non string values
- issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row
Update to 5.1.2
This is a security and bufix release.
* Security
- Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661)
Two factor authentication bypass
- Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661)
Multiple XSS and HTML injection attacks in setup script
* Bugfixes
- Revert a changed to $cfg['CharTextareaRows'] allow values
less than 7
- Fix encoding of enum and set values on edit value
- Fixed possible 'Undefined index: clause_is_unique' error
- Fixed some situations where a user is logged out when working
with more than one server
- Fixed a problem with assigning privileges to a user using the
multiselect list when the database name has an underscore
- Enable cookie parameter 'SameSite' when the PHP version
is 7.3 or newer
- Correctly handle the removal of 'innodb_file_format' in
MariaDB and MySQL
Patchnames
openSUSE-2023-47
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for phpMyAdmin",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for phpMyAdmin fixes the following issues:\n\nphpMyAdmin was updated to 5.2.1\n\nThis is a security and bufix release.\n\n* Security:\n\n - Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727) \n Fix an XSS attack through the drag-and-drop upload feature.\n\n* Bugfixes:\n\n - issue #17522 Fix case where the routes cache file is invalid\n - issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick\n - issue Fix blank page when some error occurs\n - issue #17519 Fix Export pages not working in certain conditions\n - issue #17496 Fix error in table operation page when partitions are broken\n - issue #17386 Fix system memory and system swap values on Windows\n - issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive\n - issue #17271 Fix database names not showing on Processes tab\n - issue #17424 Fix export limit size calculation\n - issue #17366 Fix refresh rate popup on Monitor page\n - issue #17577 Fix monitor charts size on RTL languages\n - issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing\n - issue #17586 Fix statistics not showing for empty databases\n - issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore\n - issue #17584 It\u0027s now possible to browse a database that includes two % in its name\n - issue Fix PHP 8.2 deprecated string interpolation syntax\n - issue Some languages are now correctly detected from the HTTP header\n - issue #17617 Sorting is correctly remembered when $cfg[\u0027RememberSorting\u0027] is true\n - issue #17593 Table filtering now works when action buttons are on the right side of the row\n - issue #17388 Find and Replace using regex now makes a valid query if no matching result set found\n - issue #17551 Enum/Set editor will not fail to open when creating a new column\n - issue #17659 Fix error when a database group is named tables, views, functions, procedures or events\n - issue #17673 Allow empty values to be inserted into columns\n - issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console\n - issue Fixed debug queries console broken UI for query time and group count\n - issue Fixed escaping of SQL query and errors for the debug console\n - issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled\n - issue #17543 Fix JS error on saving a new designer page\n - issue #17546 Fix JS error after using save as and open page operation on the designer\n - issue Fix PHP warning on GIS visualization when there is only one GIS column\n - issue #17728 Some select HTML tags will now have the correct UI style\n - issue #17734 PHP deprecations will only be shown when in a development environment\n - issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long\n - issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page\n - issue #16418 Fix FAQ 1.44 about manually removing vendor folders\n - issue #12359 Setup page now sends the Content-Security-Policy headers\n - issue #17747 The Column Visibility Toggle will not be hidden by other elements\n - issue #17756 Edit/Copy/Delete row now works when using GROUP BY\n - issue #17248 Support the UUID data type for MariaDB \u003e= 10.7\n - issue #17656 Fix replace/change/set table prefix is not working\n - issue Fix monitor page filter queries only filtering the first row\n - issue Fix \u0027Link not found!\u0027 on foreign columns for tables having no char column to show\n - issue #17390 Fix \u0027Create view\u0027 modal doesn\u0027t show on results and empty results\n - issue #17772 Fix wrong styles for add button from central columns\n - issue #17389 Fix HTML disappears when exporting settings to browser\u0027s storage\n - issue #17166 Fix \u0027Warning: #1287 \u0027X\u0027 is deprecated [...] Please use ST_X instead.\u0027 on search page\n - issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)\n - issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)\n - issue #17281 Fix links to databases for information_schema.SCHEMATA\n - issue #17553 Fix Metro theme unreadable links above navigation tree\n - issue #17553 Metro theme UI fixes and improvements\n - issue #17553 Fix Metro theme login form with\n - issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox\n - issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working\n - issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading \u0027inline\u0027) on datepickers when re-opened\n - issue Fix Original theme buttons style and login form width\n - issue #17892 Fix closing index edit modal and reopening causes it to fire twice\n - issue #17606 Fix preview SQL modal not working inside \u0027Add Index\u0027 modal\n - issue Fix PHP error on adding new column on create table form\n - issue #17482 Default to \u0027Full texts\u0027 when running explain statements\n - issue Fixed Chrome scrolling performance issue on a textarea of an \u0027export as text\u0027 page\n - issue #17703 Fix datepicker appears on all fields, not just date\n - issue Fix space in the tree line when a DB is expanded\n - issue #17340 Fix \u0027New Table\u0027 page -\u003e \u0027VIRTUAL\u0027 attribute is lost when adding a new column\n - issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL\n - issue #17446 Lower the check for virtual columns to MySQL\u003e=5.7.6 nothing is supported on 5.7.5\n - issue Fix column names option for CSV Export\n - issue #17177 Fix preview SQL when reordering columns doesn\u0027t work on move columns\n - issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP\n - issue #17944 Fix unable to create a view from tree view button\n - issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)\n - issue #17967 Fix missing icon for collapse all button\n - issue #18006 Fixed UUID columns can\u0027t be moved\n - issue Add `spellcheck=\u0027false\u0027` to all password fields and some text fields to avoid spell-jacking data leaks\n - issue Remove non working \u0027Analyze Explain at MariaDB.org\u0027 button (MariaDB stopped this service)\n - issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API\n - issue #18019 Fix \u0027Call to a member function fetchAssoc() on bool\u0027 with SQL mode ONLY_FULL_GROUP_BY on monitor search logs\n - issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions\n - issue #17398 Fix clicking on JSON columns triggers update query\n - issue Fix silent JSON parse error on upload progress\n - issue #17833 Fix \u0027Add Parameter\u0027 button not working for Add Routine Screen\n - issue #17365 Fixed \u0027Uncaught Error: regexp too big\u0027 on server status variables page\n\nUpdate to 5.2.0\n\n* Bugfix\n\n - issue #16521 Upgrade Bootstrap to version 5\n - issue #16521 Drop support for Internet Explorer and others\n - issue Upgrade to shapefile 3\n - issue #16555 Bump minimum PHP version to 7.2\n - issue Remove the phpseclib dependency\n - issue Upgrade Symfony components to version 5.2\n - issue Upgrade to Motranslator 4\n - issue #16005 Improve the performance of the Export logic\n - issue #16829 Add NOT LIKE %...% operator to Table search\n - issue #16845 Fixed some links not passing through url.php\n - issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)\n - issue #16974 Replace zxcvbn by zxcvbn-ts\n - issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check\n - issue #16138 Ignore the length of integer types and show a warning on MySQL \u003e= 8.0.18\n - issue Add support for the Mroonga engine\n - issue Double click column name to directly copy to clipboard\n - issue #16425 Add DELETE FROM table on table operations page\n - issue #16482 Add a select all link for table-specific privileges\n - issue #14276 Add support for account locking\n - issue #17143 Use composer/ca-bundle to manage the CA cert file\n - issue #17143 Require the openssl PHP extension\n - issue #17171 Remove the printview.css file from themes\n - issue #17203 Redesign the export and the import pages\n - issue #16197 Replace the master/slave terminology\n - issue #17257 Replace libraries/vendor_config.php constants with an array\n - issue Add the Bootstrap theme\n - issue #17499 Remove stickyfilljs JavaScript dependency\n\nUpdate to 5.1.3\n\nThis is a security and bufix release.\n\n* Security\n\n - Fix for boo#1197036 (CVE-2022-0813)\n - Fix for path disclosure under certain server configurations\n (if display_errors is on, for instance)\n\n* Bugfix\n\n - issue #17308 Fix broken pagination links in the navigation sidebar\n - issue #17331 Fix MariaDB has no support for system variable \u0027disabled_storage_engines\u0027\n - issue #17315 Fix unsupported operand types in Results.php when running \u0027SHOW PROCESSLIST\u0027 SQL query\n - issue #17288 Fixed importing browser settings question box after login when having no pmadb\n - issue #17288 Fix \u0027First day of calendar\u0027 user override has no effect\n - issue #17239 Fixed repeating headers are not working\n - issue #17298 Fixed import of email-adresses or links from ODS results in empty contents\n - issue #17344 Fixed a type error on ODS import with non string values\n - issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row\n\nUpdate to 5.1.2\n\nThis is a security and bufix release.\n\n* Security\n\n - Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661) \n Two factor authentication bypass\n - Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661)\n Multiple XSS and HTML injection attacks in setup script\n\n* Bugfixes\n\n - Revert a changed to $cfg[\u0027CharTextareaRows\u0027] allow values\n less than 7\n - Fix encoding of enum and set values on edit value\n - Fixed possible \u0027Undefined index: clause_is_unique\u0027 error\n - Fixed some situations where a user is logged out when working\n with more than one server\n - Fixed a problem with assigning privileges to a user using the\n multiselect list when the database name has an underscore\n - Enable cookie parameter \u0027SameSite\u0027 when the PHP version\n is 7.3 or newer\n - Correctly handle the removal of \u0027innodb_file_format\u0027 in\n MariaDB and MySQL\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-47",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0047-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0047-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0047-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/"
},
{
"category": "self",
"summary": "SUSE Bug 1195017",
"url": "https://bugzilla.suse.com/1195017"
},
{
"category": "self",
"summary": "SUSE Bug 1195018",
"url": "https://bugzilla.suse.com/1195018"
},
{
"category": "self",
"summary": "SUSE Bug 1197036",
"url": "https://bugzilla.suse.com/1197036"
},
{
"category": "self",
"summary": "SUSE Bug 1208186",
"url": "https://bugzilla.suse.com/1208186"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-0813 page",
"url": "https://www.suse.com/security/cve/CVE-2022-0813/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23807 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23808 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23808/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25727/"
}
],
"title": "Security update for phpMyAdmin",
"tracking": {
"current_release_date": "2023-02-15T10:21:02Z",
"generator": {
"date": "2023-02-15T10:21:02Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0047-1",
"initial_release_date": "2023-02-15T10:21:02Z",
"revision_history": [
{
"date": "2023-02-15T10:21:02Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-0813",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-0813"
}
],
"notes": [
{
"category": "general",
"text": "PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-0813",
"url": "https://www.suse.com/security/cve/CVE-2022-0813"
},
{
"category": "external",
"summary": "SUSE Bug 1197036 for CVE-2022-0813",
"url": "https://bugzilla.suse.com/1197036"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-0813"
},
{
"cve": "CVE-2022-23807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23807"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23807",
"url": "https://www.suse.com/security/cve/CVE-2022-23807"
},
{
"category": "external",
"summary": "SUSE Bug 1195017 for CVE-2022-23807",
"url": "https://bugzilla.suse.com/1195017"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23808"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23808",
"url": "https://www.suse.com/security/cve/CVE-2022-23808"
},
{
"category": "external",
"summary": "SUSE Bug 1195018 for CVE-2022-23808",
"url": "https://bugzilla.suse.com/1195018"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-23808"
},
{
"cve": "CVE-2023-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25727"
}
],
"notes": [
{
"category": "general",
"text": "In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25727",
"url": "https://www.suse.com/security/cve/CVE-2023-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1208186 for CVE-2023-25727",
"url": "https://bugzilla.suse.com/1208186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2023-25727"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…