CVE-2011-2508 — phpMyAdmin Directory Traversal vulnerability

Description

Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter.

How to fix CVE-2011-2508

To remediate CVE-2011-2508, upgrade the affected package to a fixed version below.

Debian/phpmyadmin—upgrade to 4:3.4.3.1-1 or later
Packagist/phpmyadmin/phpmyadmin—upgrade to 3.3.10.2 or later

Is CVE-2011-2508 being exploited?

Moderate — EPSS is 11.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 4:3.4.3.1-1
>= 3.3.0, < 3.3.10.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References (19)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-2508
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-2508
PATCHgithub.com/phpmyadmin/phpmyadmin
WEBha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html