CVE-2016-9849

An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction $cfg'Servers'$i'AllowRoot' and deny rules for username by using Null Byte in the username. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9860

An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg'AllowArbitraryServer'=true. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9858

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9856

An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are...

CVE-2016-9857

An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9865

CVE-2016-9865 affects phpMyAdmin due to a bug in serialized string parsing that can bypass PMA_safeUnserialize(). Affected versions: 4.6.x before 4.6.5; 4.4.x before 4.4.15.9; 4.0.x before 4.0.10.18. Remediations are available in the corresponding fixed releases: 4.6.5, 4.4.15.9, 4.0.10.18. Metri...

CVE-2016-9864

CVE-2016-9864 concerns phpMyAdmin with SQL injection in the tracking functionality via crafted usernames or table names, granting the control user’s privileges to read/write the configuration storage and potentially access some MySQL tables. Affected versions are all 4.6.x before 4.6.5, all 4.4.x...

CVE-2016-9861

An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-6624

CVE-2016-6624 affects phpMyAdmin: IPv6 in proxy setups can bypass IP-based authentication when the proxy is allowed but the client is not. Affected versions are 4.6.x before 4.6.4, 4.4.x before 4.4.15.8, and 4.0.x before 4.0.10.17. The vulnerability allows the attacking host to connect despite IP...

CVE-2016-6611

CVE-2016-6611 affects phpMyAdmin across multiple branches: 4.0.x before 4.0.10.17, 4.4.x before 4.4.15.8, and 4.6.x before 4.6.4. The issue is an SQL injection triggered via the export functionality when a specially crafted database/table name is used. Impact details are described in the connecte...

CVE-2016-9848

CVE-2016-9848 affects phpMyAdmin: the phpinfo() output reveals PHP info including the values of HttpOnly cookies. Affected versions are all 4.6.x before 4.6.5, all 4.4.x before 4.4.15.9, and all 4.0.x before 4.0.10.18. The issue is due to exposure of cookie values in phpinfo output. Mitigation: u...

CVE-2016-9858

CVE-2016-9858 affects phpMyAdmin. An issue allows a crafted request parameter to trigger a denial of service in the saved searches feature. Affected versions are 4.6.x before 4.6.5, 4.4.x before 4.4.15.9, and 4.0.x before 4.0.10.18. Mitigation: upgrade to newer releases (e.g., phpMyAdmin 4.6.5.1+...

CVE-2016-9858

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9848

An issue was discovered in phpMyAdmin. phpinfo phpinfo.php shows PHP information including values of HttpOnly cookies. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9847

The CVE-2016-9847 issue affects phpMyAdmin, where not specifying a blowfish_secret for cookie encryption causes a runtime-generated value that uses a weak algorithm. Affected are phpMyAdmin releases: 4.6.x before 4.6.5, 4.4.x before 4.4.15.9, and 4.0.x before 4.0.10.18. The weak construction coul...

CVE-2016-9852

An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the expo...

CVE-2016-6614

CVE-2016-6614 affects phpMyAdmin and is caused by the %u username replacement used by SaveDir and UploadDir, enabling a specially crafted username to bypass file-system restrictions (Filesystem traversal). Affected versions: all 4.6.x prior to 4.6.4, all 4.4.x prior to 4.4.15.8, and all 4.0.x pri...

CVE-2016-6615

CVE-2016-6615 describes cross-site scripting (XSS) issues in phpMyAdmin. Affected areas include the navigation pane, database/table hiding feature, the Tracking feature, and the GIS visualization feature. All 4.6.x versions prior to 4.6.4 and 4.4.x versions prior to 4.4.15.8 are affected. The pro...

CVE-2016-6613

An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to...

CVE-2016-6617

An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions prior to 4.6.4 are affected...