CVE-2011-4107
MEDIUM6.5EPSS 12.4%phpMyAdmin vulnerable to XML external entity (XXE) injection attack
Published: 5/17/2022Modified: 5/7/2026
Description
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Affected packages (2)
- Debian/phpmyadminfrom 0, < 4:3.4.7.1-1
- Packagist/phpmyadmin/phpmyadmin>= 3.4.0, < 3.4.7.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (19)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2011-4107
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2011-4107
- PATCHhttps://github.com/phpmyadmin/phpmyadmin
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
- WEBhttp://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=751112
- WEBhttp://seclists.org/fulldisclosure/2011/Nov/21
- WEBhttp://securityreason.com/securityalert/8533
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/71108
- WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/2fbf631384fd8cded55f4500cb87b129442f9ed2
- WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/34d99de000de9d15cfdf5e9cc8b7682d51110bbd
- WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/5fa86b8e81565c15ddbc359e8f59ecd829a2b717
- WEBhttps://github.com/phpmyadmin/phpmyadmin/commit/a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5
- WEBhttp://www.debian.org/security/2012/dsa-2391
- WEBhttp://www.openwall.com/lists/oss-security/2011/11/03/3
- WEBhttp://www.openwall.com/lists/oss-security/2011/11/03/5
- WEBhttp://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php