phpMyAdmin zero-day vulnerability (CVE-2019-12922)

A security researcher recently detected a zero-day CSRF vulnerability CVE-2019-12922 in phpMyAdmin 4.9.0.1, which allows the deletion of any server in the Setup page.

phpMyAdmin is a free software tool written in PHP and is one of the web’s most popular database administration software packages. Administrators use phpMyAdmin to manage a wide range of database operations on MySQL and MariaDB.

According to seclists.org, the Cross-Site Request Forgery (CSRF) issue impacts phpMyAdmin 4.9.0.1 and prior versions. An attacker can trigger a CSRF attack against a phpMyAdmin user by deleting any server in the Setup page.

Researcher Manuel Garcia Cardenas discovered and reported the vulnerability on June 13. The issues was recently published on seclists.org on September 13, 2019.

You can also check out OWASP CSRF cheat sheet to learn more about CSRF and guidelines to help prevent related vulnerabilities.

We will continue to monitor for available fixes for this issue and will update this article as soon as information is released.

Close Menu
Secured By miniOrange