- Release Date: January 22, 2019
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Multiple vulnerabilities
- Affected Versions: 5.2.3 and below
- Severity: High
- Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVE: not assigned yet
Problem Description
Multiple vulnerabilities have been found in the phpMyAdmin component.
-
PMASA-2018-2 (CSRF)
-
PMASA-2018-3 (Cross-Site Scripting)
-
PMASA-2018-4 (File Inclusion and Remote Code Execution)
-
PMASA-2018-5 (Cross-Site Scripting)
-
PMASA-2018-6 (Local file inclusion)
-
PMASA-2018-7 (XSRF/CSRF)
-
PMASA-2018-8 (Cross-Site Scripting)
Solution
An updated version 5.2.4 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/phpmyadmin/5.2.4/zip/.
Users of the extension are advised to update the extension as soon as possible.
Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.
Credits
Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.