CVE-2016-2561
https://notcve.org/view.php?id=CVE-2016-2561
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.5 y 4.5.x en versiones anteriores a 4.5.5.1 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) normalization.php o (2) js/normalization.js en la página de normalización de la base de datos, (3) templates/database/structure/sortable_header.phtml en la página de estructura de la base de datos, o (4) el parámetro pos parameter en db_central_columns.php en la página central columns. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html http://www.debian.org/security/2016/dsa-3627 https://github.com/phpmyadmin/phpmyadmin/commit/37c34d089aa19f30d11203bb0c7f85b486424372 https://github.com/phpmyadmin/phpmyadmin/commit/746240bd13b62b5956fc34389cfbdc09e1e67775 https://github.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2559
https://notcve.org/view.php?id=CVE-2016-2559
Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. Vulnerabilidad de XSS en la función format en libraries/sql-parser/src/Utils/Error.php en el intérprete SQL en phpMyAdmin 4.5.x en versiones anteriores a 4.5.5.1 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de una petición manipulada. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html https://github.com/phpmyadmin/phpmyadmin/commit/3a6a9a807d99371ee126635e1a505fc1fe0df32c https://www.phpmyadmin.net/security/PMASA-2016-10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2560
https://notcve.org/view.php?id=CVE-2016-2560
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.15, 4.4.x en versiones anteriores a 4.4.15.5 y 4.5.x en versiones anteriores a 4.5.5.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) una cabecera Host HTTP manipulada, relacionada con libraries/Config.class.php; (2) datos JSON manipulados, relacionados con file_echo.php; (3) una petición SQL manipulada, relacionada con js/functions.js; (4) el parámetro inicial en libraries/server_privileges.lib.php en la página de cuentas de usuario; o (5) el parámetro it en libraries/controllers/TableSearchController.class.php en la página zoom search. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html http://www.debian.org/security/2016/dsa-3627 https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078 https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4 https://github.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2562
https://notcve.org/view.php?id=CVE-2016-2562
The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. La función checkHTTP en libraries/Config.class.php en phpMyAdmin 4.5.x en versiones anteriores a 4.5.5.1 no verifica certificados X.509 desde los servidores SSL de api.github.com, lo que permite a atacantes man-in-the-middle suplantar estos servidores y obtener información sensible a través de un certificado manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html https://github.com/phpmyadmin/phpmyadmin/commit/e42b7e3aedd29dd0f7a48575f20bfc5aca0ff976 https://www.phpmyadmin.net/security/PMASA-2016-13 • CWE-20: Improper Input Validation •
CVE-2016-2041
https://notcve.org/view.php?id=CVE-2016-2041
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. libraries/common.inc.php en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 no utiliza un algoritmo de tiempo constante para comparar tokens CSRF, lo que hace que sea más fácil para atacantes remotos eludir las restricciones destinadas al acceso mediante la medición de diferencias de tiempo. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49 • CWE-254: 7PK - Security Features •