CVE-2016-5131 – libxml2: Use after free triggered by XPointer paths beginning with range-to
https://notcve.org/view.php?id=CVE-2016-5131
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. Vulnerabilidad de uso después de liberación de memoria en libxml2 hasta la versión 2.9.4, como se utiliza en Google Chrome en versiones anteriores a 52.0.2743.82, permite a atacantes remotos provocar una denegación de servicio o posiblemente tener otro impacto no especificado a través de vectores relacionados con la función range-to XPointer. • http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2016-07/m • CWE-416: Use After Free •
CVE-2016-5098
https://notcve.org/view.php?id=CVE-2016-5098
Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error. Vulnerabilidad de salto de directorio en libraries/error_report.lib.php en phpMyAdmin en versiones anteriores a 4.6.2-prerelease permite a atacantes remotos determinar la existencia de archivos arbitrarios desencadenando un error. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html http://www.securitytracker.com/id/1035980 https://github.com/phpmyadmin/phpmyadmin/commit/d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8 https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-15 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-5099
https://notcve.org/view.php?id=CVE-2016-5099
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. Vulnerabilidad de XSS en phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.6 y 4.6.x en versiones anteriores a 4.6.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de caracteres especiales que no son manejados adecuadamente durante la doble decodificación URL. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/90877 http://www.securitytracker.com/id/1035979 https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780 https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-5097
https://notcve.org/view.php?id=CVE-2016-5097
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. phpMyAdmin en versiones anteriores a 4.6.2 emplaza tokens en cadenas de consulta y no gestiona su eliminación antes de la navegación externa, lo que permite a atacantes remotos obtener información sensible leyendo (1) peticiones HTTP o (2) los registros del servidor. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html http://www.securitytracker.com/id/1035978 https://github.com/phpmyadmin/phpmyadmin/commit/11eb574242d2526107366d367ab5585fbe29578f https://github.com/phpmyadmin/phpmyadmin/commit/59e56bd63a5e023b797d82eb272cd074e3b4bfd1 https://github.com/phpmyadmin/phpmyadmin/commit/5fc8020c5ba9cd2e38beb5dfe013faf2103cdf0f https://github.com/phpmyadmin/phpmyadmin/commit/8326aaebe54083d9726e153abdd303a141fe5ad3 https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5701
https://notcve.org/view.php?id=CVE-2016-5701
setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. setup/frames/index.inc.php en phpMyAdmin 4.0.10.x en versiones anteriores a 4.0.10.16, 4.4.15.x en versiones anteriores a 4.4.15.7 y 4.6.x en versiones anteriores a 4.6.3 permite a atacantes remotos llevar a cabo ataques de inyección BBCode contra sesiones HTTP a través de una URI manipulada. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html http://www.debian.org/security/2016/dsa-3627 http://www.securityfocus.com/bid/91383 https://github.com/phpmyadmin/phpmyadmin/commit/1dca386505f396f0c2035112a403cc80768a141f https://security.gentoo.org/glsa/201701-32 https://www.phpmyadmin.net/security/PMASA-2016-17 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •