CVE-2016-9864 — SQL Injection in Phpmyadmin

CWE-89 — SQL Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 36.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedDec 11

Latest updateMay 17

Description

An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/phpmyadmin< phpmyadmin 4:4.6.5.1-1 (bookworm)

▶Debianphpmyadmin/phpmyadmin< 4:4.6.5.1-1+3

▶NVDphpmyadmin/phpmyadmin63 versions+62

Patches

Patch: www.phpmyadmin.net ↗Patch: www.phpmyadmin.net ↗

🔴Vulnerability Details

GHSA

GHSA-5vmc-9jj9-45xc: An issue was discovered in phpMyAdmin↗2022-05-17

▶

OSV

CVE-2016-9864: An issue was discovered in phpMyAdmin↗2016-12-11

▶

📋Vendor Advisories

Debian

CVE-2016-9864: phpmyadmin - An issue was discovered in phpMyAdmin. With a crafted username or a table name, ...↗2016

▶