CVE-2016-9861

An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-6616

An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions prior to 4.6.4 and 4.4.x versions prior to 4.4.15.8 are affected...

CVE-2016-6611

An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are affected...

CVE-2016-6618

An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service DoS attack against the server. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are affected...

CVE-2016-6606

phpMyAdmin is affected by CVE-2016-6606 due to a padding oracle vulnerability in cookie-based encryption that could allow an attacker with access to a user’s browser cookie to decrypt the stored username and password. The issue also stems from reusing the same IV to hash the username and password...

CVE-2016-6608

CVE-2016-6608 refers to a Cross-site Scripting (XSS) vulnerability in phpMyAdmin affecting 4.6.x versions prior to 4.6.4, specifically impacting the database privilege check and the Remove partitioning functionality via specially crafted database names. The issue is rooted in input validation tha...

CVE-2016-6609

CVE-2016-6609 affects phpMyAdmin; a specially crafted database name could cause arbitrary PHP commands to be executed via the array export feature. Affected versions: all 4.6.x before 4.6.4, all 4.4.x before 4.4.15.8, and all 4.0.x before 4.0.10.17. Remediation is upgrade to the fixed releases (4...

CVE-2016-9851

CVE-2016-9851 (phpMyAdmin) : A vulnerability allows bypass of the logout timeout via a crafted request parameter. Affected are all 4.6.x versions prior to 4.6.5 and 4.4.x versions prior to 4.4.15.9. The issue is documented in the initial CVE entry, with CVSS metrics indicating a low to medium imp...

CVE-2016-6623

CVE-2016-6623 affects phpMyAdmin: an authorized user can cause a denial-of-service on the server by passing large values to a loop. Affected versions include all 4.6.x before 4.6.4, 4.4.x before 4.4.15.8, and 4.0.x before 4.0.10.17. The issue is a DoS condition due to looping with large inputs; n...

CVE-2016-6607

phpMyAdmin is affected by CVE-2016-6607: XSS vulnerabilities in multiple components (Zoom search, GIS editor, relations view, various Transformations, XML/MediaWiki exports, Designer, etc.) due to improper escaping. Affected are phpMyAdmin 4.0.x before 4.0.10.17, 4.4.x before 4.4.15.8, and 4.6.x ...

CVE-2016-6631

CVE-2016-6631 describes a remote code execution issue in phpMyAdmin when run as CGI. Under certain server configurations, a user can pass a query string that is executed as a command-line argument by the file generator_plugin.sh, enabling RCE on the server. Affected versions are all 4.6.x before ...

CVE-2016-6632

An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are affected...

CVE-2016-9854

Summary (CVE-2016-9854) : A path disclosure issue in phpMyAdmin arises when triggering certain scripts; an error message can reveal the full path to the phpMyAdmin installation, and during export time these paths are written into the export file. Affected versions are all 4.6.x before 4.6.5 and 4...

CVE-2016-9849

An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction $cfg'Servers'$i'AllowRoot' and deny rules for username by using Null Byte in the username. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9856

CVE-2016-9856 is a PHPMyAdmin XSS issue tied to an earlier fix for CVE-2016-2559 (PMASA-2016-10). The vulnerability affects 4.6.x (before 4.6.5), 4.4.x (before 4.4.15.9), and 4.0.x (before 4.0.10.18) due to reuse of a hash in a race condition; remediation is to upgrade to fixed versions (e.g., 4....

CVE-2016-9855

CVE-2016-9855 affects phpMyAdmin: PMA_shutdownDuringExport allows error output revealing the full phpMyAdmin directory path when an export times out. Affected: phpMyAdmin 4.6.x prior to 4.6.5 and 4.4.x prior to 4.4.15.9. This issue arises from triggering PHP errors via certain script calls, with ...

CVE-2016-9860

CVE-2016-9860 describes a DoS in phpMyAdmin when $cfg['AllowArbitraryServer']=true. Affected are phpMyAdmin 4.6.x before 4.6.5, 4.4.x before 4.4.15.9, and 4.0.x before 4.0.10.18. Root cause is unauthenticated DoS via arbitrary servers; impact is availability. Remediation per connected sources: up...

CVE-2016-6632

CVE-2016-6632 affects phpMyAdmin: under certain conditions, temporary files may not be deleted during ESRI-file imports. Affected versions include all 4.6.x before 4.6.4, 4.4.x before 4.4.15.8, and 4.0.x before 4.0.10.17. Remediation guidance from connected documents: Debian LTS fixes apply to ph...

CVE-2016-9854

An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the expo...

CVE-2016-6613

CVE-2016-6613 affects phpMyAdmin. A user can craft a symlink on disk to a file that phpMyAdmin can read but the user cannot, which phpMyAdmin will expose to the user. Affected versions are all 4.6.x before 4.6.4, 4.4.x before 4.4.15.8, and 4.0.x before 4.0.10.17. Remediation is to upgrade to 4.6....