CVE-2016-5099
MEDIUMphpMyAdmin 4.4.x < 4.4.15.6 and 4.6.x < 4.6.2 - Cross-Site Scripting via Double URL Decoding
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.
References (7)
Core 7
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html
Patch, Vendor Advisory x_refsource_confirm
https://www.phpmyadmin.net/security/PMASA-2016-16
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035979
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/90877
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3627
Patch x_refsource_confirm
https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-32
Scores
CVSS v3
6.1
EPSS
0.0049
EPSS Percentile
65.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (27)
opensuse/opensuse
13.1
phpmyadmin/phpmyadmin
4.4.0
phpmyadmin/phpmyadmin
4.4.1
phpmyadmin/phpmyadmin
4.4.1.1
phpmyadmin/phpmyadmin
4.4.2
phpmyadmin/phpmyadmin
4.4.3
phpmyadmin/phpmyadmin
4.4.4
phpmyadmin/phpmyadmin
4.4.5
phpmyadmin/phpmyadmin
4.4.6
phpmyadmin/phpmyadmin
4.4.6.1
... and 17 more
Published
Jul 05, 2016
Tracked Since
Feb 18, 2026