CVE-2011-4107 — phpMyAdmin vulnerable to XML external entity (XXE) injection attack

Description

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

How to fix CVE-2011-4107

To remediate CVE-2011-4107, upgrade the affected package to a fixed version below.

—upgrade to 4:3.4.7.1-1 or later
—upgrade to 3.4.7.1 or later

Is CVE-2011-4107 being exploited?

Moderate — EPSS is 12.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 4:3.4.7.1-1
>= 3.4.0, < 3.4.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (19)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4107
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-4107
PATCHgithub.com/phpmyadmin/phpmyadmin
WEBlists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html