Multiple vulnerabilities in phpMyAdmin: CVE-2018-19968 (PMASA-2018-6), CVE-2018-19969 (PMASA-2018-7), CVE-2018-19970 (PMASA-2018-8)

Situation

Three vulnerabilities were discovered in phpMyAdmin:

• CVE-2018-19968 (PMASA-2018-6).

• CVE-2018-19969 (PMASA-2018-7).

• CVE-2018-19970 (PMASA-2018-8).

Affected versions

1. CVE-2018-19968.

   phpMyAdmin versions from at least 4.0 through 4.8.3 are affected.
   phpMyAdmin on Plesk for Windows is not affected by this vulnerability.

2. CVE-2018-19969.

   phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected.

3. CVE-2018-19970.

   phpMyAdmin versions from at least 4.0 through 4.8.3 are affected.

All phpMyAdmin versions which are shipped with Plesk are less than 4.8.4 so they all are affected:

• Plesk Onyx 17.8.11 – 4.8.3.
• Plesk Onyx 17.5.3 – 4.6.6.
• Plesk Onyx 17.0.17 – 4.6.6.
• Plesk 12.5.30 – 4.6.6.
• Plesk 12.0.18 – 4.5.1.

Mitigation

phpMyAdmin shipped with Plesk was updated to the version 4.8.4 in the following updates:

• 17 December 2018 – Plesk Onyx 17.8.11 Update 35.
• 17 December 2018 – Plesk Onyx 17.5.3 Update 64.
• 26 December 2018 – Plesk Onyx 17.0.17 Update 62.
• 19 December 2018 – Plesk 12.5.30 Update 79.
• 26 December 2018 – Plesk 12.0.18 Update 104 for Linux and for Windows.

Warning: this phpMyAdmin version cannot execute stored procedures.

To install the latest Plesk updates, use the instructions from the article How to install Plesk updates