PMASA-2016-21

Announcement-ID: PMASA-2016-21

Date: 2016-06-23

Summary

Multiple XSS vulnerabilities

Description

  • An XSS vulnerability was discovered on the user privileges page.
  • An XSS vulnerability was discovered in the error console.
  • An XSS vulnerability was discovered in the central columns feature.
  • An XSS vulnerability was discovered in the query bookmarks feature.
  • An XSS vulnerability was discovered in the user groups feature.

Severity

We consider this to be a serious vulnerability

Affected Versions

All 4.4.x versions (prior to 4.4.15.7) and 4.6.x versions (prior to 4.6.3) are affected

Solution

Upgrade to phpMyAdmin 4.4.15.7 or 4.6.3 or newer or apply patch listed below.

References

Thanks to Nils Juenemann @totally_unknown and Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-5705

CWE ids: CWE-661

Patches

The following commits have been made on the 4.4 branch to fix this issue:

The following commits have been made on the 4.6 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements