PMASA-2019-4

Announcement-ID: PMASA-2019-4

Date: 2019-06-04

Summary

CSRF vulnerability in login form

Description

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.

Severity

We consider this vulnerability to be severe.

Mitigation factor

Only the 'cookie' auth_type is affected; users can temporary use phpMyAdmin's http authentication as a workaround.

Affected Versions

All versions prior to phpMyAdmin 4.9.0 are affected, probably at least as old as version 4.0 (perhaps even earlier)

Solution

Upgrade to phpMyAdmin 4.9.0 or newer or apply patch listed below.

References

Thanks to Mauro Tempesta for reporting this vulnerability

Assigned CVE IDs: CVE-2019-12616

CWE IDs: CWE-661

Patches

The following commits have been made to fix this issue:

015c404038c44279d95b6430ee5a0dddc97691ec

More information

For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.

Announcements

PMASA-2025-3 PMASA-2025-2 PMASA-2025-1

PMASA-2023-1

PMASA-2022-2 PMASA-2022-1

PMASA-2020-6 PMASA-2020-5 PMASA-2020-4 PMASA-2020-3 PMASA-2020-2 PMASA-2020-1

PMASA-2019-5 PMASA-2019-4 PMASA-2019-3 PMASA-2019-2 PMASA-2019-1

PMASA-2018-8 PMASA-2018-7 PMASA-2018-6 PMASA-2018-5 PMASA-2018-4 PMASA-2018-3 PMASA-2018-2 PMASA-2018-1

PMASA-2017-9 PMASA-2017-8 PMASA-2017-7 PMASA-2017-6 PMASA-2017-5 PMASA-2017-4 PMASA-2017-3 PMASA-2017-2 PMASA-2017-1

PMASA-2016-71 PMASA-2016-70 PMASA-2016-69 PMASA-2016-68 PMASA-2016-67 PMASA-2016-66 PMASA-2016-65 PMASA-2016-64 PMASA-2016-63 PMASA-2016-62 PMASA-2016-61 PMASA-2016-60 PMASA-2016-59 PMASA-2016-58 PMASA-2016-57 PMASA-2016-56 PMASA-2016-55 PMASA-2016-54 PMASA-2016-53 PMASA-2016-52 PMASA-2016-51 PMASA-2016-50 PMASA-2016-49 PMASA-2016-48 PMASA-2016-47 PMASA-2016-46 PMASA-2016-45 PMASA-2016-44 PMASA-2016-43 PMASA-2016-42 PMASA-2016-41 PMASA-2016-40 PMASA-2016-39 PMASA-2016-38 PMASA-2016-37 PMASA-2016-36 PMASA-2016-35 PMASA-2016-34 PMASA-2016-33 PMASA-2016-32 PMASA-2016-31 PMASA-2016-30 PMASA-2016-29 PMASA-2016-28 PMASA-2016-27 PMASA-2016-26 PMASA-2016-25 PMASA-2016-24 PMASA-2016-23 PMASA-2016-22 PMASA-2016-21 PMASA-2016-20 PMASA-2016-19 PMASA-2016-18 PMASA-2016-17 PMASA-2016-16 PMASA-2016-15 PMASA-2016-14 PMASA-2016-13 PMASA-2016-12 PMASA-2016-11 PMASA-2016-10 PMASA-2016-9 PMASA-2016-8 PMASA-2016-7 PMASA-2016-6 PMASA-2016-5 PMASA-2016-4 PMASA-2016-3 PMASA-2016-2 PMASA-2016-1

PMASA-2015-6 PMASA-2015-5 PMASA-2015-4 PMASA-2015-3 PMASA-2015-2 PMASA-2015-1

PMASA-2014-18 PMASA-2014-17 PMASA-2014-16 PMASA-2014-15 PMASA-2014-14 PMASA-2014-13 PMASA-2014-12 PMASA-2014-11 PMASA-2014-10 PMASA-2014-9 PMASA-2014-8 PMASA-2014-7 PMASA-2014-6 PMASA-2014-5 PMASA-2014-4 PMASA-2014-3 PMASA-2014-2 PMASA-2014-1

PMASA-2013-15 PMASA-2013-14 PMASA-2013-13 PMASA-2013-12 PMASA-2013-11 PMASA-2013-10 PMASA-2013-9 PMASA-2013-8 PMASA-2013-7 PMASA-2013-6 PMASA-2013-5 PMASA-2013-4 PMASA-2013-3 PMASA-2013-2 PMASA-2013-1

PMASA-2012-7 PMASA-2012-6 PMASA-2012-5 PMASA-2012-4 PMASA-2012-3 PMASA-2012-2 PMASA-2012-1

PMASA-2010-10 PMASA-2010-9 PMASA-2010-8 PMASA-2010-7 PMASA-2010-6 PMASA-2010-5 PMASA-2010-4 PMASA-2010-3 PMASA-2010-2 PMASA-2010-1

PMASA-2009-6 PMASA-2009-5 PMASA-2009-4 PMASA-2009-3 PMASA-2009-2 PMASA-2009-1

PMASA-2008-10 PMASA-2008-9 PMASA-2008-8 PMASA-2008-7 PMASA-2008-6 PMASA-2008-5 PMASA-2008-4 PMASA-2008-3 PMASA-2008-2 PMASA-2008-1

PMASA-2007-8 PMASA-2007-7 PMASA-2007-6 PMASA-2007-5 PMASA-2007-4 PMASA-2007-3 PMASA-2007-2 PMASA-2007-1

PMASA-2006-9 PMASA-2006-8 PMASA-2006-7 PMASA-2006-6 PMASA-2006-5 PMASA-2006-4 PMASA-2006-3 PMASA-2006-2 PMASA-2006-1

PMASA-2005-9 PMASA-2005-8 PMASA-2005-7 PMASA-2005-6 PMASA-2005-5 PMASA-2005-4 PMASA-2005-3 PMASA-2005-2 PMASA-2005-1

PMASA-2004-4 PMASA-2004-3 PMASA-2004-2 PMASA-2004-1

PMASA-2003-1

PMASA-2019-4

Summary

Description

Severity

Mitigation factor

Affected Versions

Solution

References

Patches

More information

Announcements

2025 3

2023 1

2022 2

2020 6

2019 5

2018 8

2017 9

2016 71

2015 6

2014 18

2013 15

2012 7

2011 20

2010 10

2009 6

2008 10

2007 8

2006 9

2005 9

2004 4

2003 1