Miggo Logo
Miggo Vulnerability Database
CVE-2011-4107

CVE-2011-4107:
phpMyAdmin vulnerable to XML external entity (XXE) injection attack

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2011-4107
GHSA ID
GHSA-q4mm-89q2-xffg
EPSS Score
0.93263%
CWE
CWE-200
Published
5/17/2022
Updated
2/9/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 3.4.0, < 3.4.7.13.4.7.1
phpmyadmin/phpmyadmincomposer>= 3.3.0, < 3.3.10.53.3.10.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies simplexml_load_string in xml.php as the entry point. The CWE-611 (XXE) and patch analysis confirm the issue: the function parsed XML without properly disabling libxml's external entity loader. The GitHub patch adds libxml_disable_entity_loader() calls and conditional checks to mitigate this, directly implicating the insecure usage of simplexml_load_string in the pre-patch code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `simpl*xml_lo**_strin*` *un*tion in t** XML import plu*-in (`li*r*ri*s/import/xml.p*p`) in p*pMy**min *.*.x ***or* *.*.*.* *n* *.*.x ***or* *.*.**.* *llows r*mot* *ut**nti**t** us*rs to r*** *r*itr*ry *il*s vi* XML **t* *ont*inin* *xt*rn*l *ntity

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s simpl*xml_lo**_strin* in xml.p*p *s t** *ntry point. T** *W*-*** (XX*) *n* p*t** *n*lysis *on*irm t** issu*: t** *un*tion p*rs** XML wit*out prop*rly *is**lin* li*xml's *xt*rn*l *ntity lo***r. T** *