CVE-2016-9855

MEDIUM

Phpmyadmin - Information Disclosure

Title source: rule

Description

An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the PMA_shutdownDuringExport issue.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94527

[Patch, Vendor Advisory] https://www.phpmyadmin.net/security/PMASA-2016-63

[Third Party Advisory] https://security.gentoo.org/glsa/201701-32

Scores

CVSS v3 5.3

EPSS 0.0072

EPSS Percentile 72.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (33)

phpmyadmin/phpmyadmin

... and 18 more

Timeline

Published Dec 11, 2016

Tracked Since Feb 18, 2026