CVE-2011-4107: Improper Restriction of XML External Entity Reference
(updated )
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
References
- lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
- lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
- lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
- packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
- seclists.org/fulldisclosure/2011/Nov/21
- securityreason.com/securityalert/8533
- www.debian.org/security/2012/dsa-2391
- www.openwall.com/lists/oss-security/2011/11/03/3
- www.openwall.com/lists/oss-security/2011/11/03/5
- www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
- bugzilla.redhat.com/show_bug.cgi?id=751112
- exchange.xforce.ibmcloud.com/vulnerabilities/71108
- github.com/advisories/GHSA-q4mm-89q2-xffg
- github.com/phpmyadmin/phpmyadmin/commit/2fbf631384fd8cded55f4500cb87b129442f9ed2
- github.com/phpmyadmin/phpmyadmin/commit/34d99de000de9d15cfdf5e9cc8b7682d51110bbd
- github.com/phpmyadmin/phpmyadmin/commit/5fa86b8e81565c15ddbc359e8f59ecd829a2b717
- github.com/phpmyadmin/phpmyadmin/commit/a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5
- nvd.nist.gov/vuln/detail/CVE-2011-4107
Code Behaviors & Features
Detect and mitigate CVE-2011-4107 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →