Debian Phpmyadmin vulnerabilities

CVE-2016-5705 [MEDIUM] CVE-2016-5705: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central co

CVE-2016-6628 [MEDIUM] CVE-2016-6628: phpmyadmin - An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user... An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1) bullseye: resolved (fixed in 4:4.6.4+dfsg1-1)

CVE-2016-6607 [MEDIUM] CVE-2016-6607: phpmyadmin - XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially cr... XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPE

CVE-2016-2044 [MEDIUM] CVE-2016-2044: phpmyadmin - libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4... libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: resolved (fixed in 4:4.5.4-1) forky: resolved (fixed in 4:4.5.4-1) sid: resolved (fixed i

CVE-2016-5099 [MEDIUM] CVE-2016-5099: phpmyadmin - Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and... Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. Scope: local bookworm: resolved (fixed in 4:4.6.2-1) bullseye: resolved (fixed in 4:4.6.2-1) forky: resolved (fixed in 4:4.6.2-1) s

CVE-2016-9850 [MEDIUM] CVE-2016-9850: phpmyadmin - An issue was discovered in phpMyAdmin. Username matching for the allow/deny rule... An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.

CVE-2016-2562 [MEDIUM] CVE-2016-2562: phpmyadmin - The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before ... The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. Scope: local bookworm: resolved (fixed in 4:4.5.5.1-1) bullseye: resolved (fixed in 4

CVE-2016-5097 [MEDIUM] CVE-2016-5097: phpmyadmin - phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for ... phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. Scope: local bookworm: resolved (fixed in 4:4.6.2-1) bullseye: resolved (fixed in 4:4.6.2-1) forky: resolved (fixed in 4:4.6.2

CVE-2016-9858 [MEDIUM] CVE-2016-9858: phpmyadmin - An issue was discovered in phpMyAdmin. With a crafted request parameter value it... An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixe

CVE-2016-9866 [CRITICAL] CVE-2016-9866: phpmyadmin - An issue was discovered in phpMyAdmin. When the arg_separator is different from ... An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in

CVE-2016-9851 [MEDIUM] CVE-2016-9851: phpmyadmin - An issue was discovered in phpMyAdmin. With a crafted request parameter value it... An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixed in 4:4.6.5.1-1) forky: resolved (fixed in 4:4.6.5.1-1) sid: resolved (f

CVE-2016-9852 [MEDIUM] CVE-2016-9852: phpmyadmin - An issue was discovered in phpMyAdmin. By calling some scripts that are part of ... An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directo

CVE-2016-6625 [MEDIUM] CVE-2016-6625: phpmyadmin - An issue was discovered in phpMyAdmin. An attacker can determine whether a user ... An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:

CVE-2016-2560 [MEDIUM] CVE-2016-2560: phpmyadmin - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4... Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/fu

CVE-2016-5730 [MEDIUM] CVE-2016-5730: phpmyadmin - phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3... phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type,

CVE-2016-6633 [HIGH] CVE-2016-6633: phpmyadmin - An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remot... An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations that are running with the dbase extension. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+dfsg1-1)

CVE-2016-2038 [MEDIUM] CVE-2016-2038: phpmyadmin - phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4... phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: resolved (fixed in 4:4.5.4-1) forky: resolved (fixed in 4:4.5.4-1) sid: resolved (fixed in 4:

CVE-2016-2045 [MEDIUM] CVE-2016-2045: phpmyadmin - Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x b... Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: resolved (fixed in 4:4.5.4-1) forky: resolved (fixed in 4:4.5.4-1) sid: resolved (

CVE-2016-2042 [MEDIUM] CVE-2016-2042: phpmyadmin - phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers ... phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. Scope: local bookworm: resolved (fixed in 4:4.5.4-1) bullseye: resolved (fixed in 4:4.5.4-1) f

CVE-2016-6610 [MEDIUM] CVE-2016-6610: phpmyadmin - A full path disclosure vulnerability was discovered in phpMyAdmin where a user c... A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.4+d