Total
270 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-2038 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. | |||||
CVE-2016-5099 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. | |||||
CVE-2016-2039 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. | |||||
CVE-2016-5703 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. | |||||
CVE-2016-2042 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. | |||||
CVE-2016-5734 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. | |||||
CVE-2016-5702 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 4.3 MEDIUM | 3.7 LOW |
phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. | |||||
CVE-2016-2041 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. | |||||
CVE-2016-2043 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. | |||||
CVE-2016-5097 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. | |||||
CVE-2016-2040 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Leap, Opensuse and 1 more | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. | |||||
CVE-2016-5739 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. | |||||
CVE-2016-5732 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. | |||||
CVE-2016-2559 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. | |||||
CVE-2016-5731 | 2 Opensuse, Phpmyadmin | 3 Leap, Opensuse, Phpmyadmin | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. | |||||
CVE-2016-5098 | 2 Opensuse, Phpmyadmin | 2 Opensuse, Phpmyadmin | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error. | |||||
CVE-2015-3902 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. | |||||
CVE-2016-2560 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. | |||||
CVE-2016-1927 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. | |||||
CVE-2016-2561 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. |