All the vulnerabilites related to Adminer - Adminer
cve-2018-7667
Vulnerability from cvelistv5
Published
2018-03-05 07:00
Modified
2024-08-05 06:31
Severity
Summary
Adminer through 4.3.1 has SSRF via the server parameter.
References
| URL | Tags |
|---|---|
| http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:05.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"name": "[debian-lts-announce] 20180322 [SECURITY] [DLA 1311-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adminer through 4.3.1 has SSRF via the server parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-23T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"name": "[debian-lts-announce] 20180322 [SECURITY] [DLA 1311-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7667",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer through 4.3.1 has SSRF via the server parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"name": "[debian-lts-announce] 20180322 [SECURITY] [DLA 1311-1] adminer security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7667",
"datePublished": "2018-03-05T07:00:00",
"dateReserved": "2018-03-05T00:00:00",
"dateUpdated": "2024-08-05T06:31:05.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45197
Vulnerability from cvelistv5
Published
2024-06-21 14:28
Modified
2024-08-02 20:14
Severity
Summary
Adminer and AdminerEvo vulnerable to directory traversal and file upload
References
Impacted products
| Vendor | Product |
|---|---|
| Adminer | Adminer |
| AdminerEvo | AdminerEvo |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T16:13:59.794884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T16:14:14.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/commit/1cc06d6a1005fd833fa009701badd5641627a1d4"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/releases/tag/v4.8.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Adminer",
"vendor": "Adminer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
},
{
"cpes": [
"cpe:2.3:a:adminerevo:adminerevo:4.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:adminerevo:adminerevo:4.8.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "AdminerEvo",
"programFiles": [
"plugins/file-upload.php"
],
"repo": "https://github.com/adminerevo/adminerevo",
"vendor": "AdminerEvo",
"versions": [
{
"lessThan": "4.8.3",
"status": "affected",
"version": "4.8.2",
"versionType": "custom"
},
{
"lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.3:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
}
],
"datePublic": "2023-10-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of \u201c..\u201d to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.3.\u003c/p\u003e"
}
],
"value": "The file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of \u201c..\u201d to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.3."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T20:27:12.198Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/adminerevo/adminerevo/commit/1cc06d6a1005fd833fa009701badd5641627a1d4"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/adminerevo/adminerevo/releases/tag/v4.8.3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Adminer and AdminerEvo vulnerable to directory traversal and file upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2023-45197",
"datePublished": "2024-06-21T14:28:36.476Z",
"dateReserved": "2023-10-05T03:54:13.664Z",
"dateUpdated": "2024-08-02T20:14:19.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-21311
Vulnerability from cvelistv5
Published
2021-02-11 20:55
Modified
2024-08-03 18:09
Severity
Summary
SSRF in adminer
References
| URL | Tags |
|---|---|
| https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 | x_refsource_CONFIRM |
| https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf | x_refsource_MISC |
| https://packagist.org/packages/vrana/adminer | x_refsource_MISC |
| https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "adminer",
"vendor": "vrana",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.7.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-02T21:06:28",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
}
],
"source": {
"advisory": "GHSA-x5r2-hj5c-8jx6",
"discovery": "UNKNOWN"
},
"title": "SSRF in adminer",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21311",
"STATE": "PUBLIC",
"TITLE": "SSRF in adminer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "adminer",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.7.9"
}
]
}
}
]
},
"vendor_name": "vrana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6",
"refsource": "CONFIRM",
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"name": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"name": "https://packagist.org/packages/vrana/adminer",
"refsource": "MISC",
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"name": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
}
]
},
"source": {
"advisory": "GHSA-x5r2-hj5c-8jx6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21311",
"datePublished": "2021-02-11T20:55:15",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35572
Vulnerability from cvelistv5
Published
2021-02-09 17:55
Modified
2024-08-04 17:09
Severity
Summary
Adminer through 4.7.8 allows XSS via the history parameter to the default URI.
References
| URL | Tags |
|---|---|
| https://sourceforge.net/p/adminer/news/ | x_refsource_MISC |
| https://sourceforge.net/p/adminer/bugs-and-features/775/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:13.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adminer through 4.7.8 allows XSS via the history parameter to the default URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-09T17:55:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35572",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer through 4.7.8 allows XSS via the history parameter to the default URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/p/adminer/news/",
"refsource": "MISC",
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"name": "https://sourceforge.net/p/adminer/bugs-and-features/775/",
"refsource": "MISC",
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35572",
"datePublished": "2021-02-09T17:55:56",
"dateReserved": "2020-12-20T00:00:00",
"dateUpdated": "2024-08-04T17:09:13.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29625
Vulnerability from cvelistv5
Published
2021-05-19 21:35
Modified
2024-08-03 22:11
Severity
Summary
XSS in doc_link
References
| URL | Tags |
|---|---|
| https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc | x_refsource_CONFIRM |
| https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 | x_refsource_MISC |
| https://sourceforge.net/p/adminer/bugs-and-features/797/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:06.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "adminer",
"vendor": "vrana",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.7.8, \u003c 4.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T21:35:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
],
"source": {
"advisory": "GHSA-2v82-5746-vwqc",
"discovery": "UNKNOWN"
},
"title": "XSS in doc_link",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29625",
"STATE": "PUBLIC",
"TITLE": "XSS in doc_link"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "adminer",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.7.8, \u003c 4.8.1"
}
]
}
}
]
},
"vendor_name": "vrana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc",
"refsource": "CONFIRM",
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"name": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"name": "https://sourceforge.net/p/adminer/bugs-and-features/797/",
"refsource": "MISC",
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
]
},
"source": {
"advisory": "GHSA-2v82-5746-vwqc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29625",
"datePublished": "2021-05-19T21:35:11",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:11:06.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45196
Vulnerability from cvelistv5
Published
2024-06-24 20:48
Modified
2024-08-02 20:14
Severity
Summary
Adminer and AdminerEvo denial of service via HTTP redirect
References
Impacted products
| Vendor | Product |
|---|---|
| Adminer | Adminer |
| AdminerEvo | AdminerEvo |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T13:20:08.611689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T13:20:53.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:20.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Adminer",
"vendor": "Adminer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
},
{
"cpes": [
"cpe:2.3:a:adminerevo:adminerevo:4.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "AdminerEvo",
"repo": "https://github.com/adminerevo/adminerevo",
"vendor": "AdminerEvo",
"versions": [
{
"lessThan": "4.8.4",
"status": "affected",
"version": "4.8.2",
"versionType": "custom"
},
{
"lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
}
],
"datePublic": "2024-04-07T15:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAdminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eAdminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Adminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T20:48:21.534Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Adminer and AdminerEvo denial of service via HTTP redirect",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2023-45196",
"datePublished": "2024-06-24T20:48:21.534Z",
"dateReserved": "2023-10-05T03:54:13.664Z",
"dateUpdated": "2024-08-02T20:14:20.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45195
Vulnerability from cvelistv5
Published
2024-06-24 21:06
Modified
2024-08-02 20:14
Severity
Summary
Adminer and AdminerEvo SSRF
References
Impacted products
| Vendor | Product |
|---|---|
| Adminer | Adminer |
| AdminerEvo | AdminerEvo |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T14:34:53.587598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T14:35:33.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Adminer",
"vendor": "Adminer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
},
{
"cpes": [
"cpe:2.3:a:adminerevo:adminerevo:4.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "AdminerEvo",
"repo": "https://github.com/adminerevo/adminerevo",
"vendor": "AdminerEvo",
"versions": [
{
"lessThan": "4.8.4",
"status": "affected",
"version": "4.8.2",
"versionType": "custom"
},
{
"lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
}
],
"datePublic": "2024-04-07T15:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAdminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eAdminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Adminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T21:06:09.735Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Adminer and AdminerEvo SSRF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2023-45195",
"datePublished": "2024-06-24T21:06:09.735Z",
"dateReserved": "2023-10-05T03:54:13.664Z",
"dateUpdated": "2024-08-02T20:14:19.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43008
Vulnerability from cvelistv5
Published
2022-04-05 01:46
Modified
2024-08-04 03:47
Severity
Summary
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
References
| URL | Tags |
|---|---|
| https://github.com/vrana/adminer/releases/tag/v4.6.3 | x_refsource_MISC |
| https://www.adminer.org/ | x_refsource_MISC |
| https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability | x_refsource_MISC |
| https://podalirius.net/en/cves/2021-43008/ | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:47:13.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.adminer.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3002-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-13T18:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.adminer.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3002-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43008",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vrana/adminer/releases/tag/v4.6.3",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"name": "https://www.adminer.org/",
"refsource": "MISC",
"url": "https://www.adminer.org/"
},
{
"name": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability",
"refsource": "MISC",
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"name": "https://podalirius.net/en/cves/2021-43008/",
"refsource": "MISC",
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3002-1] adminer security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43008",
"datePublished": "2022-04-05T01:46:09",
"dateReserved": "2021-10-25T00:00:00",
"dateUpdated": "2024-08-04T03:47:13.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}