CVE-2011-0986: phpMyAdmin allows remote attackers to obtain installation path via direct request for nonexistent file

May 17, 2022 (updated April 12, 2025)

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file.

References

exchange.xforce.ibmcloud.com/vulnerabilities/65424
github.com/advisories/GHSA-wcmm-28rg-mg3r
github.com/phpmyadmin/phpmyadmin
nvd.nist.gov/vuln/detail/CVE-2011-0986

Code Behaviors & Features

Detect and mitigate CVE-2011-0986 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →