CVE-2011-4107 — MEDIUM (6.5)

Q: How severe is CVE-2011-4107?

CVE-2011-4107 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-4107?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmyadmin Phpmyadmin, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Phpmyadmin	Phpmyadmin	>= 3.3.0.0, < 3.3.10.5
Fedoraproject	Fedora	14
Debian	Debian Linux	5.0

Related Weaknesses (CWE)

CWE-611

References

http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.hMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.hMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.hMailing ListThird Party Advisory
http://osvdb.org/76798Broken Link
http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txtBroken LinkExploit
http://seclists.org/fulldisclosure/2011/Nov/21ExploitMailing ListThird Party Advisory
http://secunia.com/advisories/46447Broken LinkVendor Advisory
http://securityreason.com/securityalert/8533Broken Link
http://www.debian.org/security/2012/dsa-2391Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2011:198Broken Link
http://www.openwall.com/lists/oss-security/2011/11/03/3Mailing List
http://www.openwall.com/lists/oss-security/2011/11/03/5Mailing List
http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.phpPatchVendor Advisory
http://www.securityfocus.com/bid/50497Broken LinkThird Party AdvisoryVDB Entry
http://www.wooyun.org/bugs/wooyun-2010-03185Broken LinkExploit

FAQ

What is CVE-2011-4107?

CVE-2011-4107 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary...

How severe is CVE-2011-4107?

CVE-2011-4107 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-4107?

Check the references section above for vendor advisories and patch information. Affected products include: Phpmyadmin Phpmyadmin, Fedoraproject Fedora, Debian Debian Linux.