CVE-2011-4107

moderate-risk
Published 2011-11-17

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Do I need to act?

!
12.4% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
18371
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (5)

Affected Vendors

Debian Phpmyadmin Fedoraproject

References (34)

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.h...
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.h...
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.h...
Broken Link http://osvdb.org/76798
Broken Link http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
Exploit http://seclists.org/fulldisclosure/2011/Nov/21
Broken Link http://secunia.com/advisories/46447
Broken Link http://securityreason.com/securityalert/8533
Mailing List http://www.debian.org/security/2012/dsa-2391
Broken Link http://www.mandriva.com/security/advisories?name=MDVSA-2011:198
Mailing List http://www.openwall.com/lists/oss-security/2011/11/03/3
Mailing List http://www.openwall.com/lists/oss-security/2011/11/03/5
Patch http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
Broken Link http://www.securityfocus.com/bid/50497
Broken Link http://www.wooyun.org/bugs/wooyun-2010-03185
Exploit https://bugzilla.redhat.com/show_bug.cgi?id=751112
Third Party Advisory https://exchange.xforce.ibmcloud.com/vulnerabilities/71108
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.h...
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.h...
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.h...
and 14 more references
48
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 12/34 · Low
Exposure 12/34 · Low