Debian Phpmyadmin vulnerabilities

CVE-2016-9855 [MEDIUM] CVE-2016-9855: phpmyadmin - An issue was discovered in phpMyAdmin. By calling some scripts that are part of ... An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directo

CVE-2016-9863 [HIGH] CVE-2016-9863: phpmyadmin - An issue was discovered in phpMyAdmin. With a very large request to table partit... An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixed in 4:4.6.5.1-1) forky: resolved (fixed in 4:4.6.5.1-1) sid: resolved (fixed in 4

CVE-2016-9860 [MEDIUM] CVE-2016-9860: phpmyadmin - An issue was discovered in phpMyAdmin. An unauthenticated user can execute a den... An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: reso

CVE-2016-9847 [MEDIUM] CVE-2016-9847: phpmyadmin - An issue was discovered in phpMyAdmin. When the user does not specify a blowfish... An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versio

CVE-2016-9857 [MEDIUM] CVE-2016-9857: phpmyadmin - An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in ... An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixed in 4:4.6.5.1-1) fork

CVE-2016-9853 [MEDIUM] CVE-2016-9853: phpmyadmin - An issue was discovered in phpMyAdmin. By calling some scripts that are part of ... An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directo

CVE-2016-5702 [LOW] CVE-2016-5702: phpmyadmin - phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allo... phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. Scope: local bookworm: resolved (fixed in 4:4.6.3-1) bullseye: resolved (fixed in 4:4.6.3-1) forky: resolved (fixed in 4:4.6.3-1) sid: resolved (fixed in 4:4.6.3-1) trixie: resolved (fixed in 4:4.6.3-1)

CVE-2016-9854 [MEDIUM] CVE-2016-9854: phpmyadmin - An issue was discovered in phpMyAdmin. By calling some scripts that are part of ... An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directo

CVE-2016-9861 [HIGH] CVE-2016-9861: phpmyadmin - An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it... An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixed in 4:4.6.5.1-1) forky: r

CVE-2016-5731 [MEDIUM] CVE-2016-5731: phpmyadmin - Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.... Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. Scope: local bookworm: resolved (fixed in 4:4.6.3-1) bullseye: resolved (fixed in 4:4.6.3-1) forky: resolve

CVE-2016-5706 [HIGH] CVE-2016-5706: phpmyadmin - js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.... js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. Scope: local bookworm: resolved (fixed in 4:4.6.3-1) bullseye: resolved (fixed in 4:4.6.3-1) forky: resolved (fixed in 4:4.6.3-1) sid: resolved (fixed in 4:4.6.3-1)

CVE-2016-5098 [MEDIUM] CVE-2016-5098: phpmyadmin - Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmi... Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-9848 [MEDIUM] CVE-2016-9848: phpmyadmin - An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP informati... An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixed in 4:4.6.5.1-1) forky: resolved (fix

CVE-2016-9856 [MEDIUM] CVE-2016-9856: phpmyadmin - An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-201... An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bu

CVE-2016-2559 [MEDIUM] CVE-2016-2559: phpmyadmin - Cross-site scripting (XSS) vulnerability in the format function in libraries/sql... Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. Scope: local bookworm: resolved (fixed in 4:4.5.5.1-1) bullseye: resolved (fixed in 4:4.5.5.1-1) forky: resolv

CVE-2016-9859 [MEDIUM] CVE-2016-9859: phpmyadmin - An issue was discovered in phpMyAdmin. With a crafted request parameter value it... An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Scope: local bookworm: resolved (fixed in 4:4.6.5.1-1) bullseye: resolved (fixed in 4:4

CVE-2015-8980 [CRITICAL] CVE-2015-8980: php-gettext - The plural form formula in ngettext family of calls in php-gettext before 1.0.12... The plural form formula in ngettext family of calls in php-gettext before 1.0.12 allows remote attackers to execute arbitrary code. Scope: local bookworm: resolved (fixed in 1.0.12-0.1) bullseye: resolved (fixed in 1.0.12-0.1) sid: resolved (fixed in 1.0.12-0.1)

CVE-2015-3902 [MEDIUM] CVE-2015-3902: phpmyadmin - Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process ... Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. Scope: local bookworm: resolved (fixed in 4:4.4.6.1-1) bu

CVE-2015-2206 [MEDIUM] CVE-2015-2206: phpmyadmin - libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before ... libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of craf

CVE-2015-7873 [MEDIUM] CVE-2015-7873: phpmyadmin - The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x... The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. Scope: local bookworm: resolved (fixed in 4:4.5.1-1) bullseye: resolved (fixed in 4:4.5.1-1) forky: resolved (fixed in 4:4.5.1-1) sid: resolved (fixed in 4:4.5.1-1) trixie: resolved (fixed in 4:4.5.1-1)