CVSS: 8.1EPSS: 0%CPEs: 60EXPL: 0CVE-2016-6606 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-6606
11 Dec 2016 — An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but th... • http://www.securityfocus.com/bid/94114 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 63EXPL: 0CVE-2016-9866 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-9866
11 Dec 2016 — An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Se descubrió un problema en phpMyAdmin. Cuando el arg_separator es diferente de su valor predeterminado, el token CSRF no sé eliminó correctamente de la URL de retorno de la acción de import... • http://www.securityfocus.com/bid/94536 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 63EXPL: 0CVE-2016-9848 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-9848
11 Dec 2016 — An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Se descubrió un problema en phpMyAdmin. phpinfo (phpinfo.php) muestra información PHP incluyendo valores de cookies HttpOnly. Todas las versiones 4.6.x (anteriores a 4.6.5), versiones 4.4.x (anteriores a 4.4.15.9) y versiones 4.0.x (anteriores a 4.0.10.18) están a... • http://www.securityfocus.com/bid/94523 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 63EXPL: 0CVE-2016-9857 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-9857
11 Dec 2016 — An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Se descubrió un problema en phpMyAdmin. XSS es posible debido a una debilidad en una expresión regular utilizada en algún procesamiento JavaScript. • http://www.securityfocus.com/bid/94530 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 60EXPL: 0CVE-2016-6612 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-6612
11 Dec 2016 — An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Se descubrió un problema en phpMyAdmin. Un usuario puede explotar la funcionalidad LOAD LOCAL INFILE para exponer los archivos del servidor al sistema de base de datos. • http://www.securityfocus.com/bid/94113 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 63EXPL: 0CVE-2016-9847 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-9847
11 Dec 2016 — An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. • http://www.securityfocus.com/bid/94524 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 63EXPL: 0CVE-2016-9865 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-9865
11 Dec 2016 — An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Se descubrió un problema en phpMyAdmin. Debido a un error en el análisis de cadenas serializado, fue posible eludir la protección ofrecida por la función PMA_safeUnserialize(). • http://www.securityfocus.com/bid/94531 • CWE-254: 7PK - Security Features CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 60EXPL: 0CVE-2016-6609 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-6609
11 Dec 2016 — An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Se descubrió un problema en phpMyAdmin. Un nombre de base de datos especialmente manipulado podría ser utilizado para ejecutar comandos PHP arbitrarios a través de la función de exportación del array. • http://www.securityfocus.com/bid/94112 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 60EXPL: 0CVE-2016-6632 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-6632
11 Dec 2016 — An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. Se descubrió un problema en phpMyAdmin donde, bajo ciertas condiciones, phpMyAdmin no puede eliminar archivos temporales durante la importación de archivos ESRI. Todas las versiones 4.6.x (anteriores a 4.6.4), versiones 4.4.x (anteriores a... • http://www.securityfocus.com/bid/92497 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 63EXPL: 0CVE-2016-9864 – Gentoo Linux Security Advisory 201701-32
https://notcve.org/view.php?id=CVE-2016-9864
11 Dec 2016 — An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) ar... • http://www.securityfocus.com/bid/94533 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •