CVE-2015-7873
medium
CVSS v3
—
CVSS v2
5.0
VIR risk
5.0
Description
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-7873
Vendor advisory: cve@mitre.org — https://www.phpmyadmin.net/security/PMASA-2015-5/
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 4:4.5.1-1 |
| debian | bullseye | fixed | 4:4.5.1-1 |
| debian | sid | fixed | 4:4.5.1-1 |
| debian | trixie | fixed | 4:4.5.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | phpmyadmin/phpmyadmin | >=4.4.0,<4.4.15.1 | 4.4.15.1 |
| Packagist | phpmyadmin/phpmyadmin | >=4.5.0,<4.5.1 | 4.5.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| phpmyadmin | phpmyadmin | 4.4.0 | |
| phpmyadmin | phpmyadmin | 4.4.1 | |
| phpmyadmin | phpmyadmin | 4.4.1.1 | |
| phpmyadmin | phpmyadmin | 4.4.2 | |
| phpmyadmin | phpmyadmin | 4.4.3 | |
| phpmyadmin | phpmyadmin | 4.4.4 | |
| phpmyadmin | phpmyadmin | 4.4.5 | |
| phpmyadmin | phpmyadmin | 4.4.6 | |
| phpmyadmin | phpmyadmin | 4.4.6.1 | |
| phpmyadmin | phpmyadmin | 4.4.7 | |
| phpmyadmin | phpmyadmin | 4.4.8 | |
| phpmyadmin | phpmyadmin | 4.4.9 | |
| phpmyadmin | phpmyadmin | 4.4.10 | |
| phpmyadmin | phpmyadmin | 4.4.11 | |
| phpmyadmin | phpmyadmin | 4.4.12 | |
| phpmyadmin | phpmyadmin | 4.4.13 | |
| phpmyadmin | phpmyadmin | 4.4.13.1 | |
| phpmyadmin | phpmyadmin | 4.4.14 | |
| phpmyadmin | phpmyadmin | 4.4.14.1 | |
| phpmyadmin | phpmyadmin | 4.4.15 | |
| phpmyadmin | phpmyadmin | 4.5.0 | |
| phpmyadmin | phpmyadmin | 4.5.0.1 | |
| phpmyadmin | phpmyadmin | 4.5.0.2 | |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171311.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171326.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169987.html
- http://www.debian.org/security/2015/dsa-3382
- http://www.securityfocus.com/bid/77299
- http://www.securitytracker.com/id/1034013
- https://github.com/phpmyadmin/phpmyadmin/commit/cd097656758f981f80fb9029c7d6b4294582b706
- https://www.phpmyadmin.net/security/PMASA-2015-5/
- https://nvd.nist.gov/vuln/detail/CVE-2015-7873
- https://github.com/phpmyadmin/phpmyadmin/commit/2b31866fe0b30b867aaf5b5fedb11adb354e037f
- https://github.com/phpmyadmin/phpmyadmin
- https://web.archive.org/web/20161014120907/http://www.securitytracker.com/id/1034013
- https://web.archive.org/web/20200228052850/http://www.securityfocus.com/bid/77299
- https://www.phpmyadmin.net/security/PMASA-2015-5
- https://security-tracker.debian.org/tracker/CVE-2015-7873
CWEs
CWE-254
Verify integrity in audit chain (admin only). AS-IS.