Description
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.
References (8)
Core 8
Core References
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/f20970d32c3dfdf82aef7b6c244da1f769043813
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3627
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
Patch, Vendor Advisory x_refsource_confirm
http://www.phpmyadmin.net/home_page/security/PMASA-2016-2.php
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/cb7748ac9cffcd1cd0f3081499cd4aafa9d1065e
Scores
CVSS v3
5.3
EPSS
0.0038
EPSS Percentile
59.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (48)
fedoraproject/fedora
23
fedoraproject/fedora
24
opensuse/leap
42.1
opensuse/opensuse
13.1
opensuse/opensuse
13.2
phpmyadmin/phpmyadmin
4.0.0 (3 CPE variants)
phpmyadmin/phpmyadmin
4.0.1
phpmyadmin/phpmyadmin
4.0.10
phpmyadmin/phpmyadmin
4.0.10.1
phpmyadmin/phpmyadmin
4.0.10.2
... and 38 more
Published
Feb 20, 2016
Tracked Since
Feb 18, 2026