CVE-2011-4107

MEDIUM6.5EPSS 12.4%

phpMyAdmin vulnerable to XML external entity (XXE) injection attack

發布日:2022/5/17修改日:2026/5/7

描述

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

受影響套件(2)

Debian/phpmyadminfrom 0, < 4:3.4.7.1-1
Packagist/phpmyadmin/phpmyadmin>= 3.4.0, < 3.4.7.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

參考連結(19)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2011-4107
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2011-4107
PATCHhttps://github.com/phpmyadmin/phpmyadmin
WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
WEBhttp://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=751112
WEBhttp://seclists.org/fulldisclosure/2011/Nov/21
WEBhttp://securityreason.com/securityalert/8533
WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/71108
WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/2fbf631384fd8cded55f4500cb87b129442f9ed2
WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/34d99de000de9d15cfdf5e9cc8b7682d51110bbd
WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/5fa86b8e81565c15ddbc359e8f59ecd829a2b717
WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5
WEBhttp://www.debian.org/security/2012/dsa-2391
WEBhttp://www.openwall.com/lists/oss-security/2011/11/03/3
WEBhttp://www.openwall.com/lists/oss-security/2011/11/03/5
WEBhttp://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php