Description
import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.
References (2)
Core 2
Core References
Exploit, Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/012464268420e53a9cd81cbb4a43988d70393c36
Vendor Advisory x_refsource_confirm
http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php
Scores
EPSS
0.0037
EPSS Percentile
58.7%
Details
CWE
CWE-264
Status
published
Products (6)
phpmyadmin/phpmyadmin
4.0.0 (3 CPE variants)
phpmyadmin/phpmyadmin
4.0.1
phpmyadmin/phpmyadmin
4.0.2
phpmyadmin/phpmyadmin
4.0.3
phpmyadmin/phpmyadmin
4.0.4
phpmyadmin/phpmyadmin
4.0 - 4.0.4.1Packagist
Published
Jul 04, 2013
Tracked Since
Feb 18, 2026