CVE-2016-5730
https://notcve.org/view.php?id=CVE-2016-5730
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.16, 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permite a atacantes remotos obtener información sensible a través de vectores relacionados con (1) un valor de matriz para FormDisplay.php, (2) datos incorrectos para validate.php, (3) datos no esperados para Validator.php, (4) falta de directorio de configuración durante la instalación o (5) un identificador de tipo de datos OpenID incorrecto, lo que revela la ruta completa en un mensaje de error. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.securityfocus.com/bid/91379 https://github.com/phpmyadmin/phpmyadmin/commit/27664605b945b13e1d2b71adea822ace2099cc96 https://github.com/phpmyadmin/phpmyadmin/commit/331c560fbfa0e7d2dce674b5e88e983c5f2a451d https://github.com/phpmyadmin/phpmyadmin/commit/96e0aa35653ec0c66084a7e9343465e16c1f769b https://github.com/phpmyadmin/phpmyadmin/commit/b0180f18c828706af3a6800f0fb01a536d3ef8c7 https://github.com/phpmyadmin/phpmyad • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5739
https://notcve.org/view.php?id=CVE-2016-5739
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. La implementación de Transformation en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.16, 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 no usa el mecanismo de protección no-referrer Content Security Policy (CSP), lo que facilita a atacantes remotos llevar a cabo ataques CSRF leyendo un token autenticado en una cabecera Referer, relacionado con libraries/Header.php. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91389 https://github.com/phpmyadmin/phpmyadmin/commit/1e5716cb96d46efc305381ae0da08e73fe340f05 https://github.com/phpmyadmin/phpmyadmin/commit/2f4950828ec241e8cbdcf13090c2582a6fa620cb https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-28 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5705
https://notcve.org/view.php?id=CVE-2016-5705
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permiten a atacantes remotos inyectar comandos web o HTML arbitrarios a través de vectores relacionados con (1) campos de datos de certificado de server-privilegies en la página de privilegios de usuario, (2) un error "invalid JSON" en la consola de error, (3) un nombre de database en las columnas centrales de implementación, (4) un nombre de grupo o (5) un nombre de búsqueda en la implementación de marcadores. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91378 https://github.com/phpmyadmin/phpmyadmin/commit/03f73d48369703e0d3584699b08e24891c3295b8 https://github.com/phpmyadmin/phpmyadmin/commit/0b7416c5f4439ed3f11c023785f2d4c49a1b09fc https://github.com/phpmyadmin/phpmyadmin/commit/364732e309cccb3fb56c938ed8d8bc0e04a3ca98 https://github.com/phpmyadmin/phpmyadmin/commit/36df83a97a7f140fdb00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-5702
https://notcve.org/view.php?id=CVE-2016-5702
phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. phpMyAdmin 4.6.x en versiones anteriores a 4.6.3, cuando el entorno carece de valor PHP_SELF, permite a atacantes remotos llevar a cabo ataques de inyección cookie-attribute a través de una URI manipulada. • https://github.com/phpmyadmin/phpmyadmin/commit/27caf5b46bd0890e576fea7bd7b166a0639fdf68 https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-18 • CWE-254: 7PK - Security Features •
CVE-2016-5704
https://notcve.org/view.php?id=CVE-2016-5704
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. Vulnerabilidad de XSS en la página table-structure en phpMyAdmin 4.6.x en versiones anteriores a 4.6.3 permite a atacantes remotos inyectar secuencias de comandos web y HTML arbitrarios a través de vectores relacionados con comentarios. • https://github.com/phpmyadmin/phpmyadmin/commit/72213573182896bd6a6e5af5ba1881dd87c4a20b https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •