+33 (0)1 8695 8660
FR EN
Vulnérabilités informatiques
Découvrez les nouveaux vecteurs d'attaques, failles et vulnérabilités informatiques
08 Mar 2015

CVE-2015-2206

Publié par . Publié dans Gain information

Vulnerability Details : CVE-2015-2206

libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
Publish Date : 2015-03-09 Last Update Date : 2015-03-23

- CVSS Scores & Vulnerability Types

CVSS Score
5.0
Confidentiality Impact Partial(There is considerable informational disclosure.)
Integrity Impact None(There is no impact to the integrity of the system)
Availability Impact None(There is no impact to the availability of the system.)
Access Complexity Low(Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required(Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Obtain InformationCSRF
CWE ID 200

- Products Affected By CVE-2015-2206

# Product Type Vendor Product Version Update Edition Language
1 Application Phpmyadmin Phpmyadmin 4.0.0 Version Details Vulnerabilities
2 Application Phpmyadmin Phpmyadmin 4.0.0 RC2 Version Details Vulnerabilities
3 Application Phpmyadmin Phpmyadmin 4.0.0 RC3 Version Details Vulnerabilities
4 Application Phpmyadmin Phpmyadmin 4.0.1 Version Details Vulnerabilities
5 Application Phpmyadmin Phpmyadmin 4.0.2 Version Details Vulnerabilities
6 Application Phpmyadmin Phpmyadmin 4.0.3 Version Details Vulnerabilities
7 Application Phpmyadmin Phpmyadmin 4.0.4 Version Details Vulnerabilities
8 Application Phpmyadmin Phpmyadmin 4.0.4.1 Version Details Vulnerabilities
9 Application Phpmyadmin Phpmyadmin 4.0.4.2 Version Details Vulnerabilities
10 Application Phpmyadmin Phpmyadmin 4.0.5 Version Details Vulnerabilities
11 Application Phpmyadmin Phpmyadmin 4.0.6 Version Details Vulnerabilities
12 Application Phpmyadmin Phpmyadmin 4.0.7 Version Details Vulnerabilities
13 Application Phpmyadmin Phpmyadmin 4.0.8 Version Details Vulnerabilities
14 Application Phpmyadmin Phpmyadmin 4.0.9 Version Details Vulnerabilities
15 Application Phpmyadmin Phpmyadmin 4.0.10 Version Details Vulnerabilities
16 Application Phpmyadmin Phpmyadmin 4.0.10.1 Version Details Vulnerabilities
17 Application Phpmyadmin Phpmyadmin 4.0.10.2 Version Details Vulnerabilities
18 Application Phpmyadmin Phpmyadmin 4.0.10.3 Version Details Vulnerabilities
19 Application Phpmyadmin Phpmyadmin 4.0.10.4 Version Details Vulnerabilities
20 Application Phpmyadmin Phpmyadmin 4.0.10.5 Version Details Vulnerabilities
21 Application Phpmyadmin Phpmyadmin 4.0.10.6 Version Details Vulnerabilities
22 Application Phpmyadmin Phpmyadmin 4.0.10.7 Version Details Vulnerabilities
23 Application Phpmyadmin Phpmyadmin 4.0.10.8 Version Details Vulnerabilities
24 Application Phpmyadmin Phpmyadmin 4.2.0 Version Details Vulnerabilities
25 Application Phpmyadmin Phpmyadmin 4.2.1 Version Details Vulnerabilities
26 Application Phpmyadmin Phpmyadmin 4.2.2 Version Details Vulnerabilities
27 Application Phpmyadmin Phpmyadmin 4.2.3 Version Details Vulnerabilities
28 Application Phpmyadmin Phpmyadmin 4.2.4 Version Details Vulnerabilities
29 Application Phpmyadmin Phpmyadmin 4.2.5 Version Details Vulnerabilities
30 Application Phpmyadmin Phpmyadmin 4.2.6 Version Details Vulnerabilities
31 Application Phpmyadmin Phpmyadmin 4.2.7 Version Details Vulnerabilities
32 Application Phpmyadmin Phpmyadmin 4.2.7.1 Version Details Vulnerabilities
33 Application Phpmyadmin Phpmyadmin 4.2.8 Version Details Vulnerabilities
34 Application Phpmyadmin Phpmyadmin 4.2.8.1 Version Details Vulnerabilities
35 Application Phpmyadmin Phpmyadmin 4.2.9 Version Details Vulnerabilities
36 Application Phpmyadmin Phpmyadmin 4.2.9.1 Version Details Vulnerabilities
37 Application Phpmyadmin Phpmyadmin 4.2.10 Version Details Vulnerabilities
38 Application Phpmyadmin Phpmyadmin 4.2.10.1 Version Details Vulnerabilities
39 Application Phpmyadmin Phpmyadmin 4.2.11 Version Details Vulnerabilities
40 Application Phpmyadmin Phpmyadmin 4.2.12 Version Details Vulnerabilities
41 Application Phpmyadmin Phpmyadmin 4.2.13 Version Details Vulnerabilities
42 Application Phpmyadmin Phpmyadmin 4.2.13.1 Version Details Vulnerabilities
43 Application Phpmyadmin Phpmyadmin 4.3.0 Version Details Vulnerabilities
44 Application Phpmyadmin Phpmyadmin 4.3.1 Version Details Vulnerabilities
45 Application Phpmyadmin Phpmyadmin 4.3.2 Version Details Vulnerabilities
46 Application Phpmyadmin Phpmyadmin 4.3.3 Version Details Vulnerabilities
47 Application Phpmyadmin Phpmyadmin 4.3.4 Version Details Vulnerabilities
48 Application Phpmyadmin Phpmyadmin 4.3.5 Version Details Vulnerabilities
49 Application Phpmyadmin Phpmyadmin 4.3.6 Version Details Vulnerabilities
50 Application Phpmyadmin Phpmyadmin 4.3.7 Version Details Vulnerabilities
51 Application Phpmyadmin Phpmyadmin 4.3.8 Version Details Vulnerabilities
52 Application Phpmyadmin Phpmyadmin 4.3.9 Version Details Vulnerabilities
53 Application Phpmyadmin Phpmyadmin 4.3.10 Version Details Vulnerabilities
54 Application Phpmyadmin Phpmyadmin 4.3.11 Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Phpmyadmin Phpmyadmin 54

- References For CVE-2015-2206

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151931.html
FEDORA FEDORA-2015-3336
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151331.html
FEDORA FEDORA-2015-3287
http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.php CONFIRM
https://github.com/phpmyadmin/phpmyadmin/commit/b2f1e895038a5700bf8e81fb9a5da36cbdea0eeb CONFIRM
http://www.securitytracker.com/id/1031871
SECTRACK 1031871
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151914.html
FEDORA FEDORA-2015-3329

- Metasploit Modules Related To CVE-2015-2206

There are not any metasploit modules related to this vulnerability (Please visit www.metasploit.com for more information)