CVE-2011-2508: phpMyAdmin Directory Traversal vulnerability

May 14, 2022 (updated April 12, 2025)

Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter.

References

github.com/advisories/GHSA-q6vw-39cg-wjjf
github.com/phpmyadmin/phpmyadmin
nvd.nist.gov/vuln/detail/CVE-2011-2508
web.archive.org/web/20110712103138/http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
web.archive.org/web/20111109175131/http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008
web.archive.org/web/20111217070727/http://www.securityfocus.com/archive/1/518804/100/0/threaded
web.archive.org/web/20111217173735/http://securityreason.com/securityalert/8306
web.archive.org/web/20250218012437/http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html

Code Behaviors & Features

Detect and mitigate CVE-2011-2508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →