Design/Logic Flaw

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions prior to 4.6.5, and 4.4.x versions prior to 4.4.15.9 are affected...

UBUNTU-CVE-2016-6616

An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions prior to 4.6.4 and 4.4.x versions prior to 4.4.15.8 are affected...

UBUNTU-CVE-2016-9849

An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction $cfg'Servers'$i'AllowRoot' and deny rules for username by using Null Byte in the username. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

UBUNTU-CVE-2016-6610

A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are...

UBUNTU-CVE-2016-6623

An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service DoS attack on a server by passing large values to a loop. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are affected...

UBUNTU-CVE-2016-6624

An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the...

UBUNTU-CVE-2016-6618

An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service DoS attack against the server. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are affected...

UBUNTU-CVE-2016-6620

An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions prior to 4.6.4...

UBUNTU-CVE-2016-9852

An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the expo...

UBUNTU-CVE-2016-6613

An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to...

CVE-2016-6625

Summary: CVE-2016-6625 affects phpMyAdmin. An information-disclosure vulnerability allows an attacker to determine whether a user is logged in to phpMyAdmin. Affected versions are all 4.6.x before 4.6.4, 4.4.x before 4.4.15.8, and 4.0.x before 4.0.10.17. The disclosure does not expose the user’s ...

CVE-2016-4412

phpMyAdmin vulnerability CVE-2016-4412: a user can be tricked into following a link that, after authentication, redirects to a malicious site. Affected are all 4.0.x versions before 4.0.10.16; the attacker must sniff the user’s valid phpMyAdmin token. Remediation: upgrade to a patched version (4....

CVE-2016-9849

CVE-2016-9849 affects phpMyAdmin; the vulnerability lets an attacker bypass the AllowRoot restriction and deny rules for usernames by injecting a null byte into the username. Affected are all 4.6.x versions prior to 4.6.5, 4.4.x prior to 4.4.15.9, and 4.0.x prior to 4.0.10.18. Exploitation could ...

CVE-2016-9866

An issue was discovered in phpMyAdmin. When the argseparator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to...

CVE-2016-9859

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-6617

An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions prior to 4.6.4 are affected...

CVE-2016-9851

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions prior to 4.6.5, and 4.4.x versions prior to 4.4.15.9 are affected...

CVE-2016-9862

CVE-2016-9862 affects phpMyAdmin 4.6.x prior to 4.6.5. A crafted login request can inject BBCode on the login page, per multiple sources (including CNVD-2016-12349). Impact is limited to the login UI, enabling BBCode injection; no broader exploit details are provided in the documents. Remediation...

CVE-2016-6618

CVE-2016-6618 affects phpMyAdmin: the transformation feature can trigger a denial-of-service on the server. Affected are all 4.6.x versions before 4.6.4, all 4.4.x versions before 4.4.15.8, and all 4.0.x versions before 4.0.10.17. The vulnerability is due to the transformation functionality, lead...

CVE-2016-6620

CVE-2016-6620 affects phpMyAdmin: the vulnerability arises when data is passed to unserialize() without validating serialized data, enabling potential code execution through object instantiation/autoloading. Affected versions are all 4.6.x before 4.6.4, 4.4.x before 4.4.15.8, and 4.0.x before 4.0...