CVE-2016-6606Sensitive Information Exposure in Phpmyadmin

CWE-200Sensitive Information ExposureCWE-3104 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.3%
top 50.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PhpmyadminDebian Phpmyadmin
Timeline
PublishedDec 11
Latest updateMay 17

Description

An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the s

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

debiandebian/phpmyadmin< phpmyadmin 4:4.6.4+dfsg1-1 (bookworm)
Debianphpmyadmin/phpmyadmin< 4:4.6.4+dfsg1-1+3
NVDphpmyadmin/phpmyadmin60 versions+59

Patches

Patch: www.phpmyadmin.netPatch: www.phpmyadmin.net

🔴Vulnerability Details

2
GHSA
GHSA-8pvh-2357-g3c2: An issue was discovered in cookie encryption in phpMyAdmin2022-05-17
OSV
CVE-2016-6606: An issue was discovered in cookie encryption in phpMyAdmin2016-12-11

📋Vendor Advisories

1
Debian
CVE-2016-6606: phpmyadmin - An issue was discovered in cookie encryption in phpMyAdmin. The decryption of th...2016