CVE-2016-5731

MEDIUM

phpMyAdmin <4.0.10.16, <4.4.15.7, <4.6.3 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.

References (7)

Core 7

Core References

Patch x_refsource_confirm

https://www.phpmyadmin.net/security/PMASA-2016-24/

Patch x_refsource_confirm

https://github.com/phpmyadmin/phpmyadmin/commit/94cf3864254ffaf3a69e97d8fc454888368b94ab

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3627

Patch, Vendor Advisory x_refsource_confirm

https://github.com/phpmyadmin/phpmyadmin/commit/418aeea3d83b0b6021bac311d849570acfc6e48c

View Patch ZIP pw:eip

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201701-32

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html

Scores

CVSS v3 6.1

EPSS 0.0042

EPSS Percentile 62.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (47)

opensuse/leap 42.1

opensuse/opensuse 13.1

opensuse/opensuse 13.2

phpmyadmin/phpmyadmin 4.6.0 (4 CPE variants)

phpmyadmin/phpmyadmin 4.6.1

phpmyadmin/phpmyadmin 4.6.2

phpmyadmin/phpmyadmin 4.0.0

phpmyadmin/phpmyadmin 4.0.1

phpmyadmin/phpmyadmin 4.0.2

phpmyadmin/phpmyadmin 4.0.3

... and 37 more

Published Jul 03, 2016

Tracked Since Feb 18, 2026