phpMyAdmin is a PHP application designed to handle administration of MySQL or MariaDB through a web interface. Security updates were released to address three vulnerabilities in phpMyAdmin. An authorised local attacker could exploit a vulnerability in the configuration storage tables to leak the contents of a local file, or deliver a malicious payload to a targeted web administrator through a specially crafted database or table name. A remote attacker could also exploit a cross-site request forgery (XSRF/CSRF) vulnerability by enticing a targeted web administrator to click on a specially crafted URL.
A successful exploitation could lead to information disclosure, malicious code injection and unauthorised database operations on an affected system.
The product vendor has released version 4.8.4 to address the issues at the vendor's website:
https://www.phpmyadmin.net/downloads/
System administrators may contact their product support vendors for the fix and assistance.
System administrators are also advised to tighten the access control to phpMyAdmin by only allowing accesses from the internal network. If the remote access is necessary, administrators should consider to leverage secure channels, including Virtual Private Network (VPN), to protect the administrative platform.
https://www.phpmyadmin.net/news/2018/12/11/security-fix-phpmyadmin-484-released/
https://www.phpmyadmin.net/security/PMASA-2018-6/
https://www.phpmyadmin.net/security/PMASA-2018-7/
https://www.phpmyadmin.net/security/PMASA-2018-8/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19970