Insufficiently Protected Credentials Affecting xampp package, versions [development,1.7.1]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.12% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-XAMPP-2381733
  • published26 Jan 2022
  • disclosed16 Mar 2009
  • creditUnknown

Introduced: 16 Mar 2009

CVE-2009-0919  (opens in a new tab)
CWE-255  (opens in a new tab)

How to fix?

There is no fixed version for xampp.

Overview

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. XAMPP installs multiple packages with insecure default passwords, which makes it easier for remote attackers to obtain access via (1) the "lampp" default password for the "nobody" account within the included ProFTPD installation, (2) a blank default password for the "root" account within the included MySQL installation, (3) a blank default password for the "pma" account within the phpMyAdmin installation, and possibly other unspecified passwords. NOTE: this was originally reported as a problem in DFLabs PTK, but this issue affects any product that is installed within the XAMPP environment, and should not be viewed as a vulnerability within that product. NOTE: DFLabs states that PTK is intended for use in a laboratory with "no contact from / to internet."

References

CVSS Base Scores

version 3.1