TYPO3-EXT-SA-2019-008: Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

Categories: Development Created by Torben Hansen
It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to Arbitrary file read and SQL injection.
  • Release Date: May 07, 2019
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Vulnerability Type: Multiple vulnerabilities
  • Affected Versions: 5.2.4 and below 
  • Severity: Medium
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE: not assigned yet

Problem Description

Multiple vulnerabilities have been found in the phpMyAdmin component.

Solution

An updated version 5.2.5  is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/phpmyadmin/5.2.5/zip/
Users of the extension are advised to update the extension as soon as possible. 

Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.
 

Credits

Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.