phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. References: https://nvd.nist.gov/vuln/detail/CVE-2017-1000499 https://www.phpmyadmin.net/security/PMASA-2017-9/ http://cyberworldmirror.com/vulnerability-phpmyadmin-lets-attacker-perform-drop-table-single-click/ https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b
Created phpMyAdmin tracking bugs for this issue: Affects: epel-all [bug 1532952] Affects: fedora-all [bug 1532954] Affects: openshift-1 [bug 1532953]
Closing as per https://www.phpmyadmin.net/security/PMASA-2017-9/: Unaffected Versions: Versions older than 4.7.0 are not affected.
Sorry, comment #2 was meant to be posted in bug 1532952. Reopening this one.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.