VDB

CVE-2018-12613

CVE-2018-12613 PUBLISHED

Reported by mitre · Published June 21, 2018

An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).

Affected Products

VendorProductVersions
n/an/an/a
n/an/a*
alpinephpmyadmin0, 0, 0

Timeline

  • Jun 21, 2018 CVE Published
  • Jun 22, 2018 PoC Published
  • Jul 12, 2018 PoC Published
  • Nov 27, 2018 PoC Published
  • Apr 26, 2019 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Jun 22, 2021 EPSS Score
  • Oct 25, 2021 PoC Published
  • Oct 25, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Feb 27, 2022 EPSS Score

References

  • x_refsource_CONFIRM
  • 45020 exploitx_refsource_EXPLOIT-DB
  • 104532 vdb-entryx_refsource_BID
  • 44924 exploitx_refsource_EXPLOIT-DB
  • 44928 exploitx_refsource_EXPLOIT-DB
  • GLSA-201904-16 vendor-advisoryx_refsource_GENTOO
  • x_refsource_MISC
Open in Interactive Console →
$ Console Community · 100/wk Open console ›