CVE-2009-1151 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
phpmyadmin	phpmyadmin	2.11.0 ≤ 𝑥 < 2.11.9.5
phpmyadmin	phpmyadmin	3.0.0 ≤ 𝑥 < 3.1.3.1
debian	debian_linux	4.0
debian	debian_linux	5.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

phpmyadmin

bullseye	4:5.0.4+dfsg2-2+deb11u1 fixed
bookworm	4:5.2.1+dfsg-1 fixed
sid	4:5.2.1+dfsg-4 fixed
trixie	4:5.2.1+dfsg-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

phpmyadmin

karmic	not-affected
jaunty	not-affected
intrepid	Fixed 4:2.11.8.1-1ubuntu0.1 released
hardy	Fixed 4:2.11.3-1ubuntu1.2 released
gutsy	ignored
dapper	Fixed 4:2.8.0.3-1ubuntu0.2 released

Known Exploits!

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html

http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301

http://secunia.com/advisories/34430

http://secunia.com/advisories/34642

http://secunia.com/advisories/35585

http://secunia.com/advisories/35635

http://security.gentoo.org/glsa/glsa-200906-03.xml

http://www.debian.org/security/2009/dsa-1824

http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/

http://www.mandriva.com/security/advisories?name=MDVSA-2009:115

http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

http://www.securityfocus.com/archive/1/504191/100/0/threaded

http://www.securityfocus.com/bid/34236

https://www.exploit-db.com/exploits/8921

http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html

http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301

http://secunia.com/advisories/34430

http://secunia.com/advisories/34642

http://secunia.com/advisories/35585

http://secunia.com/advisories/35635

http://security.gentoo.org/glsa/glsa-200906-03.xml

http://www.debian.org/security/2009/dsa-1824

http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/

http://www.mandriva.com/security/advisories?name=MDVSA-2009:115

http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

http://www.securityfocus.com/archive/1/504191/100/0/threaded

http://www.securityfocus.com/bid/34236

https://www.exploit-db.com/exploits/8921