CVE-2011-4107

Sažetak

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
http://osvdb.org/76798
http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
http://seclists.org/fulldisclosure/2011/Nov/21
http://secunia.com/advisories/46447
http://securityreason.com/securityalert/8533
http://www.debian.org/security/2012/dsa-2391
http://www.mandriva.com/security/advisories?name=MDVSA-2011:198
http://www.openwall.com/lists/oss-security/2011/11/03/3
http://www.openwall.com/lists/oss-security/2011/11/03/5
http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
http://www.securityfocus.com/bid/50497
http://www.wooyun.org/bugs/wooyun-2010-03185
https://bugzilla.redhat.com/show_bug.cgi?id=751112
https://exchange.xforce.ibmcloud.com/vulnerabilities/71108

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

09-02-2024 - 02:27

Objavljeno

17-11-2011 - 19:55