Sat. Jan 18th, 2020

CVE-2019-12922: 0-day phpMyAdmin Cross-Site Request Forgery Vulnerability Alert

1 min read

phpMyAdmin is a free software tool written in PHP that is intended to handle the administration of a MySQL or MariaDB database server. You can use phpMyAdmin to perform most administration tasks, including creating a database, running queries, and adding user accounts.


CVE-2019-12922: phpMyAdmin – Cross-Site Request Forgery

Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page. The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user, in this way making possible a CSRF attack due to the wrong use of HTTP method.

Affected version

  • phpMyAdmin <=


Exploit CSRF – Deleting main server

<p>Deleting Server 1</p>
<img src=”
style=”display:none;” />


Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests.

Via: packetstormsecurity