Description
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
References (8)
Core 8
Core References
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/8326aaebe54083d9726e153abdd303a141fe5ad3
Patch, Vendor Advisory x_refsource_confirm
https://www.phpmyadmin.net/security/PMASA-2016-14
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035978
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/59e56bd63a5e023b797d82eb272cd074e3b4bfd1
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/11eb574242d2526107366d367ab5585fbe29578f
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/5fc8020c5ba9cd2e38beb5dfe013faf2103cdf0f
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-32
Scores
CVSS v3
5.3
EPSS
0.0055
EPSS Percentile
68.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
opensuse/opensuse
13.1
phpmyadmin/phpmyadmin
< 4.6.1
Published
Jul 05, 2016
Tracked Since
Feb 18, 2026