Search for packages
| purl | pkg:composer/phpmyadmin/phpmyadmin@4.6.0 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1kme-6s76-k3es
Aliases: CVE-2016-5705 GHSA-6q2j-8h8q-46mr |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. |
Affected by 13 other vulnerabilities. |
|
VCID-2739-kr2f-fbd8
Aliases: CVE-2016-5731 GHSA-mwm8-36c5-j5cf |
phpMyAdmin Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. |
Affected by 13 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-2x7w-vq7h-jfcu
Aliases: CVE-2016-9853 GHSA-rmmf-5xhh-gg27 |
Affected by 3 other vulnerabilities. |
|
|
VCID-35nm-8pfp-mkaq
Aliases: CVE-2016-9866 GHSA-jvxx-8xxf-5495 |
Affected by 3 other vulnerabilities. |
|
|
VCID-3jkz-zdy6-n7dz
Aliases: CVE-2016-5704 GHSA-gcvp-cwgw-wx8j |
phpMyAdmin XSS Vulnerability Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. |
Affected by 13 other vulnerabilities. |
|
VCID-43mn-rf4g-ayg6
Aliases: CVE-2016-6608 GHSA-jfmj-27fp-qp67 |
phpMyAdmin Cross-site Scripting (XSS) XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-4k9b-4mxz-87e5
Aliases: CVE-2016-6629 GHSA-567r-vqj7-5cw7 |
phpMyAdmin Authentication Bypass An issue was discovered in phpMyAdmin involving the `$cfg['ArbitraryServerRegexp']` configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-5bk1-q3nj-6qef
Aliases: CVE-2016-5733 GHSA-cr65-p662-fx5c |
phpMyAdmin vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. |
Affected by 13 other vulnerabilities. |
|
VCID-5qej-xfah-1kaa
Aliases: CVE-2016-6628 GHSA-phhm-63xx-v9rr |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-5x6h-hhj1-5uab
Aliases: CVE-2016-9863 GHSA-qgrq-64g6-mmh6 |
Affected by 3 other vulnerabilities. |
|
|
VCID-6j1s-geef-pfb6
Aliases: CVE-2017-1000018 GHSA-47qr-f86f-3wm4 |
phpMyAdmin DoS Vulnerability phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-7udu-bp8s-t7es
Aliases: CVE-2017-1000013 GHSA-5h5m-fj48-qpjw |
phpMyAdmin Open Redirect phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-96h9-nz2g-g3be
Aliases: CVE-2016-6618 GHSA-rv6m-chvv-wmxg |
phpMyAdmin Denial of service (DOS) attack in transformation feature An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-ar2s-q1ey-9ua6
Aliases: CVE-2016-9856 GHSA-j8mx-x32r-5rf4 |
Affected by 3 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-c4mp-bzke-4bhw
Aliases: CVE-2016-6622 GHSA-qf3f-7x69-qfv3 |
phpMyAdmin DoS Vulnerability An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with `$cfg['AllowArbitraryServer']=true`. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-dpv2-3xj4-s7hm
Aliases: CVE-2016-5706 GHSA-9rmm-8fp4-26hv |
phpMyAdmin Denial Of Service (DOS) attack js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. |
Affected by 13 other vulnerabilities. |
|
VCID-drq8-z1qe-7ufh
Aliases: CVE-2017-1000017 GHSA-99xj-xqc9-98hr |
phpMyAdmin SSRF in replication phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-e3xu-5ny1-rkab
Aliases: CVE-2016-6633 GHSA-p849-vf5f-f3x7 |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-fsw3-zq48-s3bh
Aliases: CVE-2016-5701 GHSA-rh74-5835-jpxp |
phpMyAdmin vulnerable to Cross-site Scripting setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. |
Affected by 13 other vulnerabilities. |
|
VCID-g67g-ycx6-ebat
Aliases: CVE-2017-18264 GHSA-5868-g58j-vrj5 |
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument. |
Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-hy45-dt9r-y3a2
Aliases: CVE-2016-6612 GHSA-fcgm-62p3-f7cm |
phpMyAdmin Local file exposure An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-jxqx-dh1t-eua2
Aliases: CVE-2016-6624 GHSA-mhxj-6vf8-mwv3 |
phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-kw8w-rzsv-x7aq
Aliases: CVE-2016-9851 GHSA-r2vw-p77f-vc27 |
Affected by 3 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-kzr5-ef5h-dfbr
Aliases: CVE-2016-6613 GHSA-6j2v-g9rg-qcm5 |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-m59a-5uea-rfa9
Aliases: CVE-2016-5734 GHSA-rv57-479x-x4qv |
phpMyAdmin Code Injection vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. |
Affected by 13 other vulnerabilities. |
|
VCID-p8xn-tscc-4qhu
Aliases: CVE-2017-1000015 GHSA-3fgq-cmr4-97rr |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-qhn7-b1w4-vkfn
Aliases: CVE-2016-5739 GHSA-2p7v-jm8m-g3qq |
phpMyAdmin vulnerable to Cross-Site Request Forgery The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. |
Affected by 13 other vulnerabilities. |
|
VCID-qmfr-5d3y-27au
Aliases: CVE-2016-6609 GHSA-wpww-hx7x-xfjh |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-qu34-hevh-v3a9
Aliases: CVE-2016-6621 GHSA-44vv-mm86-7cg6 |
phpMyAdmin server-side request forgery (SSRF) The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
Affected by 2 other vulnerabilities. |
|
VCID-qvb8-x5h7-1kax
Aliases: CVE-2016-9857 GHSA-hmmx-wxh4-9w8w |
Affected by 3 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-rqvv-7dvy-dqfd
Aliases: CVE-2016-9860 GHSA-3hw5-fffc-qrg4 |
Affected by 3 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-rs9g-rj3u-1bfy
Aliases: CVE-2016-9861 GHSA-r326-mp8g-6xfc |
Affected by 3 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-rspx-kym8-xydx
Aliases: CVE-2016-5730 GHSA-wm9c-vcv2-vpqc |
phpMyAdmin full path disclosure vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. |
Affected by 13 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-tx6k-19sr-2kh3
Aliases: CVE-2017-1000016 GHSA-j2cq-h6v2-f875 |
phpMyAdmin Cookie attribute injection attack A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-v3xe-8zk4-q3gm
Aliases: CVE-2016-5702 GHSA-xqw9-ffx7-g998 |
phpMyAdmin cookie-attribute injection phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. |
Affected by 13 other vulnerabilities. |
|
VCID-x4xq-zycy-sfd5
Aliases: CVE-2016-5732 GHSA-3q28-xfw3-2q35 |
phpMyAdmin XSS Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in `templates/table/structure/display_partitions.phtml` in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. |
Affected by 13 other vulnerabilities. |
|
VCID-xrnq-v6ph-97hn
Aliases: CVE-2016-9847 GHSA-9xhq-pm7v-693p |
Affected by 3 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-yvwv-ebhn-x3g5
Aliases: CVE-2016-6625 GHSA-r643-7xfg-ppc5 |
phpMyAdmin allows to detect if user is logged in An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-z37z-773u-2fd7
Aliases: CVE-2016-6632 GHSA-426q-975p-w5cr |
Affected by 5 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-zjy7-eubd-1qbz
Aliases: CVE-2016-6623 GHSA-2mcj-3r3r-v5wm |
Affected by 5 other vulnerabilities. |
|
|
VCID-zxus-a2uc-aqe8
Aliases: CVE-2017-1000014 GHSA-9hrc-rwrq-v6mh |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||