Page 16 of 94 results (0.010 seconds)

CVSS: 5.3EPSS: 0%CPEs: 62EXPL: 0

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.16, 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permite a atacantes remotos obtener información sensible a través de vectores relacionados con (1) un valor de matriz para FormDisplay.php, (2) datos incorrectos para validate.php, (3) datos no esperados para Validator.php, (4) falta de directorio de configuración durante la instalación o (5) un identificador de tipo de datos OpenID incorrecto, lo que revela la ruta completa en un mensaje de error. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.securityfocus.com/bid/91379 https://github.com/phpmyadmin/phpmyadmin/commit/27664605b945b13e1d2b71adea822ace2099cc96 https://github.com/phpmyadmin/phpmyadmin/commit/331c560fbfa0e7d2dce674b5e88e983c5f2a451d https://github.com/phpmyadmin/phpmyadmin/commit/96e0aa35653ec0c66084a7e9343465e16c1f769b https://github.com/phpmyadmin/phpmyadmin/commit/b0180f18c828706af3a6800f0fb01a536d3ef8c7 https://github.com/phpmyadmin/phpmyad • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 62EXPL: 0

The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. La implementación de Transformation en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.16, 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 no usa el mecanismo de protección no-referrer Content Security Policy (CSP), lo que facilita a atacantes remotos llevar a cabo ataques CSRF leyendo un token autenticado en una cabecera Referer, relacionado con libraries/Header.php. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91389 https://github.com/phpmyadmin/phpmyadmin/commit/1e5716cb96d46efc305381ae0da08e73fe340f05 https://github.com/phpmyadmin/phpmyadmin/commit/2f4950828ec241e8cbdcf13090c2582a6fa620cb https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-28 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.1EPSS: 0%CPEs: 34EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permiten a atacantes remotos inyectar comandos web o HTML arbitrarios a través de vectores relacionados con (1) campos de datos de certificado de server-privilegies en la página de privilegios de usuario, (2) un error "invalid JSON" en la consola de error, (3) un nombre de database en las columnas centrales de implementación, (4) un nombre de grupo o (5) un nombre de búsqueda en la implementación de marcadores. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91378 https://github.com/phpmyadmin/phpmyadmin/commit/03f73d48369703e0d3584699b08e24891c3295b8 https://github.com/phpmyadmin/phpmyadmin/commit/0b7416c5f4439ed3f11c023785f2d4c49a1b09fc https://github.com/phpmyadmin/phpmyadmin/commit/364732e309cccb3fb56c938ed8d8bc0e04a3ca98 https://github.com/phpmyadmin/phpmyadmin/commit/36df83a97a7f140fdb00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 2%CPEs: 62EXPL: 0

js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. js/get_scripts.js.php en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.16, 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permite a atacantes remotos provocar una denegación de servicio a través de una gran variedad en el parámetro de secuencias de comandos. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91376 https://github.com/phpmyadmin/phpmyadmin/commit/4767f24ea4c1e3822ce71a636c341e8ad8d07aa6 https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-22 • CWE-399: Resource Management Errors •

CVSS: 6.1EPSS: 0%CPEs: 62EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.16, 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con (1)un nombre de tabla manipulado que es manejado incorrectamente durante la comprobación de privilegios en table_row.phtml, (2) una directiva mysqld log_bin manipulada que es manejada incorrectamente en log_selector.phtml, (3) la implementación de Transformation, (4) manejo del error AJAX en js/ajax.js, (5) la implementación de Designer, (6) la implementación de gráficos en js/tbl_chart.js o (7) la implementación de búsqueda de zoom en rows_zoom.phtml. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91390 https://github.com/phpmyadmin/phpmyadmin/commit/4d21b5c077db50c2a54b7f569d20f463cc2651f5 https://github.com/phpmyadmin/phpmyadmin/commit/615212a14d7d87712202f37354acf8581987fc5a https://github.com/phpmyadmin/phpmyadmin/commit/79661610f6f65443e0ec1e382a7240437f28436c https://github.com/phpmyadmin/phpmyadmin/commit/8716855b309dbe65d7b9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •