CVE-2018-19968

MEDIUM

phpMyAdmin <4.8.4 - Info Disclosure

Title source: llm

Description

An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.

References (4)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/106178

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/02/msg00003.html

[Third Party Advisory] https://security.gentoo.org/glsa/201904-16

[Patch, Vendor Advisory] https://www.phpmyadmin.net/security/PMASA-2018-6/

Scores

CVSS v3 6.5

EPSS 0.0254

EPSS Percentile 85.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (3)

phpmyadmin/phpmyadmin < 4.8.4

debian/debian_linux

phpmyadmin/phpmyadmin < 4.8.4Packagist

Timeline

Published Dec 11, 2018

Tracked Since Feb 18, 2026