GHSA-p6h7-29r2-g88f

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6h7-29r2-g88f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p6h7-29r2-g88f/GHSA-p6h7-29r2-g88f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p6h7-29r2-g88f
Aliases
Published
2022-05-14T02:55:16Z
Modified
2024-01-15T18:11:46.964011Z
Summary
phpMyAdmin vulnerable to static code injection
Details

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

Database specific
{
    "nvd_published_at": "2011-07-14T23:55:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-15T17:50:29Z"
}
References

Affected packages

Packagist / phpmyadmin/phpmyadmin

Package

Name
phpmyadmin/phpmyadmin
Purl
pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0
Fixed
3.3.10.2

Packagist / phpmyadmin/phpmyadmin

Package

Name
phpmyadmin/phpmyadmin
Purl
pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4
Fixed
3.4.3.1