CVE-2016-2560

MEDIUM

phpMyAdmin 4.0.x < 4.0.10.15, 4.4.x < 4.4.15.5, 4.5.x < 4.5.5.1 - Cross-Site Scripting

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.

References (11)

Core 11
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
Patch, Vendor Advisory x_refsource_confirm
https://www.phpmyadmin.net/security/PMASA-2016-11/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3627
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html

Scores

CVSS v3 6.1
EPSS 0.0134
EPSS Percentile 80.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (50)
phpmyadmin/phpmyadmin 4.0.0
phpmyadmin/phpmyadmin 4.0.1
phpmyadmin/phpmyadmin 4.0.2
phpmyadmin/phpmyadmin 4.0.3
phpmyadmin/phpmyadmin 4.0.4
phpmyadmin/phpmyadmin 4.0.4.1
phpmyadmin/phpmyadmin 4.0.4.2
phpmyadmin/phpmyadmin 4.0.5
phpmyadmin/phpmyadmin 4.0.6
phpmyadmin/phpmyadmin 4.0.7
... and 40 more
Published Mar 01, 2016
Tracked Since Feb 18, 2026