CVE-2019-25451 in phpMoAdmin
Summary
by MITRE • 02/21/2026
phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action, db, and collection to create, drop, or repair databases and collections without user consent.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2019-25451 affects phpMoAdmin version 1.1.5, a web-based administration tool for mongodb databases. This cross-site request forgery vulnerability represents a critical security flaw that undermines the integrity of user sessions and database access controls. The flaw exists in the application's handling of authenticated requests, specifically when processing parameters related to database operations. Attackers can exploit this weakness by constructing malicious web pages or links that automatically submit requests to the vulnerable application, thereby executing unauthorized database operations on behalf of authenticated users without their knowledge or consent.
The technical implementation of this CSRF vulnerability stems from the application's failure to implement proper request validation mechanisms. When users access the moadmin.php endpoint with parameters such as action, db, and collection, the application processes these requests without verifying their authenticity or origin. This absence of anti-CSRF tokens or request origin checks creates an exploitable condition where malicious actors can craft GET requests that perform sensitive database operations including creating new databases, dropping existing collections, or repairing database structures. The vulnerability is particularly dangerous because it leverages the authenticated user's session to execute operations that should require explicit user confirmation or additional authentication factors.
The operational impact of this vulnerability extends beyond simple unauthorized access to database resources. An attacker who successfully exploits this CSRF flaw can cause significant disruption to database operations, potentially leading to data loss, service interruption, or even complete database compromise. The ability to create new databases allows attackers to establish persistent access points or store malicious data, while the capability to drop collections can result in permanent data deletion. Additionally, the repair functionality could be abused to corrupt database structures or manipulate data integrity. This vulnerability directly violates security principles outlined in the OWASP Top Ten, specifically addressing the weakness of insufficient logging and monitoring, and represents a classic example of how CSRF flaws can be leveraged to perform privilege escalation attacks against web applications.
Security mitigations for this vulnerability should focus on implementing robust anti-CSRF protection mechanisms within the phpMoAdmin application. The most effective approach involves incorporating unique, unpredictable tokens for each user session that must be validated before any database operation is executed. This implementation aligns with CWE-352, which categorizes CSRF vulnerabilities as a critical weakness in web application security. Organizations should also consider implementing strict referer header validation, enforcing same-site cookies, and requiring explicit user confirmation for sensitive operations. The ATT&CK framework categorizes this vulnerability under T1548.002, which addresses privilege escalation through abuse of web application vulnerabilities, emphasizing the need for proper input validation and authentication mechanisms. Additionally, regular security assessments and code reviews should be implemented to identify similar vulnerabilities in other web applications, as CSRF flaws are commonly found in legacy systems that lack modern security controls.