CVE-2011-2506 — phpMyAdmin vulnerable to static code injection

Description

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

How to fix CVE-2011-2506

To remediate CVE-2011-2506, upgrade the affected package to a fixed version below.

Debian/phpmyadmin—upgrade to 4:3.4.3.1-1 or later
Packagist/phpmyadmin/phpmyadmin—upgrade to 3.3.10.2 or later

Is CVE-2011-2506 being exploited?

Moderate — EPSS is 33.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 4:3.4.3.1-1
>= 3.0, < 3.3.10.2

References (20)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-2506
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-2506
PATCHgithub.com/phpmyadmin/composer
WEBha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html