CVE-2015-3902: CSRF
First published: Tue May 26 2015(Updated: )
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PhpMyAdmin | =4.0.0 | |
| PhpMyAdmin | =4.0.0-rc2 | |
| PhpMyAdmin | =4.0.0-rc3 | |
| PhpMyAdmin | =4.0.1 | |
| PhpMyAdmin | =4.0.2 | |
| PhpMyAdmin | =4.0.3 | |
| PhpMyAdmin | =4.0.4 | |
| PhpMyAdmin | =4.0.4.1 | |
| PhpMyAdmin | =4.0.4.2 | |
| PhpMyAdmin | =4.0.5 | |
| PhpMyAdmin | =4.0.6 | |
| PhpMyAdmin | =4.0.7 | |
| PhpMyAdmin | =4.0.8 | |
| PhpMyAdmin | =4.0.9 | |
| PhpMyAdmin | =4.0.10 | |
| PhpMyAdmin | =4.0.10.2 | |
| PhpMyAdmin | =4.0.10.5 | |
| PhpMyAdmin | =4.0.10.6 | |
| PhpMyAdmin | =4.0.10.7 | |
| PhpMyAdmin | =4.0.10.8 | |
| PhpMyAdmin | =4.0.10.9 | |
| PhpMyAdmin | =4.2.0 | |
| PhpMyAdmin | =4.2.1 | |
| PhpMyAdmin | =4.2.2 | |
| PhpMyAdmin | =4.2.3 | |
| PhpMyAdmin | =4.2.4 | |
| PhpMyAdmin | =4.2.5 | |
| PhpMyAdmin | =4.2.7 | |
| PhpMyAdmin | =4.2.7.1 | |
| PhpMyAdmin | =4.2.9.1 | |
| PhpMyAdmin | =4.2.10.1 | |
| PhpMyAdmin | =4.2.11 | |
| PhpMyAdmin | =4.2.12 | |
| PhpMyAdmin | =4.2.13.1 | |
| PhpMyAdmin | =4.2.13.2 | |
| PhpMyAdmin | =4.3.0 | |
| PhpMyAdmin | =4.3.1 | |
| PhpMyAdmin | =4.3.2 | |
| PhpMyAdmin | =4.3.3 | |
| PhpMyAdmin | =4.3.4 | |
| PhpMyAdmin | =4.3.5 | |
| PhpMyAdmin | =4.3.6 | |
| PhpMyAdmin | =4.3.7 | |
| PhpMyAdmin | =4.3.8 | |
| PhpMyAdmin | =4.3.9 | |
| PhpMyAdmin | =4.3.10 | |
| PhpMyAdmin | =4.3.11 | |
| PhpMyAdmin | =4.3.12 | |
| PhpMyAdmin | =4.3.13 | |
| PhpMyAdmin | =4.4.0 | |
| PhpMyAdmin | =4.4.1 | |
| PhpMyAdmin | =4.4.1.1 | |
| PhpMyAdmin | =4.4.3 | |
| PhpMyAdmin | =4.4.4 | |
| PhpMyAdmin | =4.4.5 | |
| PhpMyAdmin | =4.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html
- http://www.debian.org/security/2015/dsa-3382
- http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php
- http://www.securityfocus.com/bid/74657
- http://www.securitytracker.com/id/1032404
- https://github.com/phpmyadmin/phpmyadmin/commit/ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83
Frequently Asked Questions
What is the severity of CVE-2015-3902?
CVE-2015-3902 has a medium severity rating due to its potential impact on administrator session hijacking.
How do I fix CVE-2015-3902?
To resolve CVE-2015-3902, upgrade phpMyAdmin to version 4.0.10.10 or later, 4.2.13.3 or later, 4.3.13.1 or later, or 4.4.6.1 or later.
Which versions of phpMyAdmin are affected by CVE-2015-3902?
CVE-2015-3902 affects phpMyAdmin versions before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1.
What type of vulnerability is CVE-2015-3902?
CVE-2015-3902 is a cross-site request forgery (CSRF) vulnerability allowing attackers to hijack administrator sessions.
Who can be impacted by CVE-2015-3902?
CVE-2015-3902 can significantly impact users with administrator privileges in phpMyAdmin, as it allows unauthorized configuration changes.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- vendor/phpmyadmin
- canonical/phpmyadmin
- version/phpmyadmin/4.0.0
- version/phpmyadmin/4.0.0-rc2
- version/phpmyadmin/4.0.0-rc3
- version/phpmyadmin/4.0.1
- version/phpmyadmin/4.0.2
- version/phpmyadmin/4.0.3
- version/phpmyadmin/4.0.4
- version/phpmyadmin/4.0.4.1
- version/phpmyadmin/4.0.4.2
- version/phpmyadmin/4.0.5
- version/phpmyadmin/4.0.6
- version/phpmyadmin/4.0.7
- version/phpmyadmin/4.0.8
- version/phpmyadmin/4.0.9
- version/phpmyadmin/4.0.10
- version/phpmyadmin/4.0.10.2
- version/phpmyadmin/4.0.10.5
- version/phpmyadmin/4.0.10.6
- version/phpmyadmin/4.0.10.7
- version/phpmyadmin/4.0.10.8
- version/phpmyadmin/4.0.10.9
- version/phpmyadmin/4.2.0
- version/phpmyadmin/4.2.1
- version/phpmyadmin/4.2.2
- version/phpmyadmin/4.2.3
- version/phpmyadmin/4.2.4
- version/phpmyadmin/4.2.5
- version/phpmyadmin/4.2.7
- version/phpmyadmin/4.2.7.1
- version/phpmyadmin/4.2.9.1
- version/phpmyadmin/4.2.10.1
- version/phpmyadmin/4.2.11
- version/phpmyadmin/4.2.12
- version/phpmyadmin/4.2.13.1
- version/phpmyadmin/4.2.13.2
- version/phpmyadmin/4.3.0
- version/phpmyadmin/4.3.1
- version/phpmyadmin/4.3.2
- version/phpmyadmin/4.3.3
- version/phpmyadmin/4.3.4
- version/phpmyadmin/4.3.5
- version/phpmyadmin/4.3.6
- version/phpmyadmin/4.3.7
- version/phpmyadmin/4.3.8
- version/phpmyadmin/4.3.9
- version/phpmyadmin/4.3.10
- version/phpmyadmin/4.3.11
- version/phpmyadmin/4.3.12
- version/phpmyadmin/4.3.13
- version/phpmyadmin/4.4.0
- version/phpmyadmin/4.4.1
- version/phpmyadmin/4.4.1.1
- version/phpmyadmin/4.4.3
- version/phpmyadmin/4.4.4
- version/phpmyadmin/4.4.5
- version/phpmyadmin/4.4.6