Debian Phpmyadmin vulnerabilities

CVE-2016-6622 [MEDIUM] CVE-2016-6622: phpmyadmin - An issue was discovered in phpMyAdmin. An unauthenticated user is able to execut... An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm:

CVE-2016-6615 [MEDIUM] CVE-2016-6615: phpmyadmin - XSS issues were discovered in phpMyAdmin. This affects navigation pane and datab... XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4

CVE-2016-2040 [MEDIUM] CVE-2016-2040: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: r

CVE-2016-6614 [MEDIUM] CVE-2016-6614: phpmyadmin - An issue was discovered in phpMyAdmin involving the %u username replacement func... An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions

CVE-2016-6612 [MEDIUM] CVE-2016-6612: phpmyadmin - An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE ... An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:

CVE-2016-2039 [MEDIUM] CVE-2016-2039: phpmyadmin - libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4... libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: resolved (fixed in 4:4.5.4-1) forky: resolved (fixed i

CVE-2016-6626 [MEDIUM] CVE-2016-6626: phpmyadmin - An issue was discovered in phpMyAdmin. An attacker could redirect a user to a ma... An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:4.6.4+dfsg1-1) forky: resolved (fixed in 4:4.6.4+d

CVE-2016-6624 [MEDIUM] CVE-2016-6624: phpmyadmin - An issue was discovered in phpMyAdmin involving improper enforcement of the IP-b... An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (

CVE-2016-5704 [MEDIUM] CVE-2016-5704: phpmyadmin - Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdm... Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. Scope: local bookworm: resolved (fixed in 4:4.6.3-1) bullseye: resolved (fixed in 4:4.6.3-1) forky: resolved (fixed in 4:4.6.3-1) sid: resolved (fixed in 4:4.6.3-1) tr

CVE-2016-6627 [MEDIUM] CVE-2016-6627: phpmyadmin - An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin ... An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:4.6.4+dfsg1-1) forky: resolv

CVE-2016-6632 [MEDIUM] CVE-2016-6632: phpmyadmin - An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmi... An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:4.

CVE-2016-2043 [MEDIUM] CVE-2016-2043: phpmyadmin - Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/nor... Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: resolved (fixed in 4:4.5.4-1) fo

CVE-2016-6613 [MEDIUM] CVE-2016-6613: phpmyadmin - An issue was discovered in phpMyAdmin. A user can specially craft a symlink on d... An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixe

CVE-2016-4412 [MEDIUM] CVE-2016-4412: phpmyadmin - An issue was discovered in phpMyAdmin. A user can be tricked into following a li... An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. Scope: local bookworm: resolved (fixed in 4:4.1.7-1) bullseye: resolved (fixed in

CVE-2016-6630 [MEDIUM] CVE-2016-6630: phpmyadmin - An issue was discovered in phpMyAdmin. An authenticated user can trigger a denia... An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye:

CVE-2016-6618 [MEDIUM] CVE-2016-6618: phpmyadmin - An issue was discovered in phpMyAdmin. The transformation feature allows a user ... An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:4.6.

CVE-2016-2561 [MEDIUM] CVE-2016-2561: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (

CVE-2016-5732 [MEDIUM] CVE-2016-5732: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in the partition-range imple... Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. Scope: local bookworm: resolved (fixed in 4:4.6.3-1) bullseye: resol

CVE-2016-5733 [MEDIUM] CVE-2016-5733: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandl

CVE-2016-6608 [MEDIUM] CVE-2016-6608: phpmyadmin - XSS issues were discovered in phpMyAdmin. This affects the database privilege ch... XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:4.6.4+dfsg1-1) forky: resolved (fix