A vulnerability was found where, under some circumstances, an attacker
can inject arbitrary values in the browser cookies.
Only affected when PHP_SELF is not set.
A vulnerability was discovered that allows an SQL injection attack to
run arbitrary commands as the control user.
This attack requires a controluser to exist and be configured in
config.inc.php
, therefore the attack can be mitigated by temporarily
disabling the controluser.
An cross-side scripting vulnerability was discovered on the table
structure page
A Denial Of Service (DOS) attack was discovered in the way phpMyAdmin
loads some JavaScript files.
By specially crafting requests in the following areas, it is possible
to trigger phpMyAdmin to display a PHP error message which contains the
full path of the directory where phpMyAdmin is installed.
To mitigate these issues, it is possible to remove the setup script and
examples subdirectories: ./setup/ and ./examples/.
With a specially crafted request, it is possible to trigger an
cross-side scripting attack through the example OpenID authentication
script.
Only affected when the default php.ini is changed and set html_errors = Off.
A vulnerability was reported allowing a specially crafted table
parameters to cause an cross-side scripting attack through the table
structure page.
A vulnerability was reported where a specially crafted Transformation
could be used to leak information including the authentication token.
This could be used to direct a CSRF attack against a user.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
any | any | any | phpmyadmin | < 4.6.3-1 | UNKNOWN |
access.redhat.com/security/cve/CVE-2016-5701
access.redhat.com/security/cve/CVE-2016-5702
access.redhat.com/security/cve/CVE-2016-5703
access.redhat.com/security/cve/CVE-2016-5704
access.redhat.com/security/cve/CVE-2016-5705
access.redhat.com/security/cve/CVE-2016-5706
access.redhat.com/security/cve/CVE-2016-5730
access.redhat.com/security/cve/CVE-2016-5731
access.redhat.com/security/cve/CVE-2016-5732
access.redhat.com/security/cve/CVE-2016-5733
access.redhat.com/security/cve/CVE-2016-5739
www.phpmyadmin.net/security/PMASA-2016-17/
www.phpmyadmin.net/security/PMASA-2016-18/
www.phpmyadmin.net/security/PMASA-2016-19/
www.phpmyadmin.net/security/PMASA-2016-20/
www.phpmyadmin.net/security/PMASA-2016-21/
www.phpmyadmin.net/security/PMASA-2016-22/
www.phpmyadmin.net/security/PMASA-2016-23/
www.phpmyadmin.net/security/PMASA-2016-24/
www.phpmyadmin.net/security/PMASA-2016-25/
www.phpmyadmin.net/security/PMASA-2016-26/
www.phpmyadmin.net/security/PMASA-2016-27/
www.phpmyadmin.net/security/PMASA-2016-28/