CVE-2009-4605

Name	CVE-2009-4605
Description	scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2034-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
phpmyadmin (PTS)	bullseye	4:5.0.4+dfsg2-2+deb11u1	fixed
	bullseye (security)	4:5.0.4+dfsg2-2+deb11u2	fixed
	bookworm	4:5.2.1+dfsg-1+deb12u1	fixed
	sid, trixie	4:5.2.2-really+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
phpmyadmin	source	lenny	4:2.11.8.1-5+lenny4		DSA-2034-1
phpmyadmin	source	(unstable)	4:3.2.4-1

Notes

vulnerable code does not in the 3.x series (sid and squeeze checked)
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=13149
there is still at least one unserialize() call on _POST data