VDB
CVE-2018-19968
CVE-2018-19968
PUBLISHED
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.
EPSS 2.38% · 85.3th percentile
Risk Scores
EPSS Score
2.38%
85.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | phpmyadmin | 0, 4:4.4.13.1-1, 4:4.5.0.2-2 |
| Ubuntu:Pro:14.04:LTS | phpmyadmin | *, 4:4.0.10-1ubuntu0.1+esm1, 4:4.0.10-1ubuntu0.1+esm2 |
| Ubuntu:18.04:LTS | phpmyadmin | 4:4.6.6-5, 0 |
Timeline
- Dec 11, 2018 CVE Published
- Dec 11, 2018 PoC Published
- Apr 23, 2019 CVE Updated
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Feb 27, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
- Mar 8, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-19968 third-party-advisory
- https://www.phpmyadmin.net/security/PMASA-2018-6/ third-party-advisory
- https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 third-party-advisory
- https://ubuntu.com/security/notices/USN-4639-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-19968 third-party-advisory
- https://ubuntu.com/security/notices/USN-4843-1 vendor-advisory