Search for vulnerabilities
Vulnerability details: VCID-84pb-neh5-73by
Vulnerability ID VCID-84pb-neh5-73by
Aliases CVE-2016-2041
GHSA-8m97-xc46-rw9w
Summary phpMyAdmin Unsafe comparison of XSRF/CSRF token libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-203 Observable Discrepancy
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-254 7PK - Security Features
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
epss 0.01077 https://api.first.org/data/v1/epss?cve=CVE-2016-2041
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8m97-xc46-rw9w
cvssv3.1 7.5 https://github.com/phpmyadmin/composer
generic_textual HIGH https://github.com/phpmyadmin/composer
cvssv3.1 7.5 https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
generic_textual HIGH https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2016-2041
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2016-2041
cvssv3.1 7.5 http://www.debian.org/security/2016/dsa-3627
generic_textual HIGH http://www.debian.org/security/2016/dsa-3627
cvssv3.1 7.5 http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php
generic_textual HIGH http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
https://api.first.org/data/v1/epss?cve=CVE-2016-2041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2561
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5739
https://github.com/phpmyadmin/composer
https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
https://nvd.nist.gov/vuln/detail/CVE-2016-2041
http://www.debian.org/security/2016/dsa-3627
http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php
GHSA-8m97-xc46-rw9w https://github.com/advisories/GHSA-8m97-xc46-rw9w
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/phpmyadmin/composer
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-2041
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.debian.org/security/2016/dsa-3627
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.76879
EPSS Score 0.01077
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:08:34.759396+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8m97-xc46-rw9w/GHSA-8m97-xc46-rw9w.json 37.0.0