CVE-2016-2040
https://notcve.org/view.php?id=CVE-2016-2040
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. Múltiples vulnerabilidades de XSS en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) un nombre de tabla, (2) un valor SET, (3) una consulta de búsqueda o (4) un nombre de host en una cabecera Location. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-3.php https://github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbc https://github.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2039
https://notcve.org/view.php?id=CVE-2016-2039
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. libraries/session.inc.php en phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 no genera adecuadamente valores de token CSRF, lo que permite a atacantes remotos eludir las restricciones destinadas al acceso mediante la predicción de un valor. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.debian.org/security/2016/dsa-3627 http://www.phpmyadmin.net/home_page/security/PMASA-2016-2.php https://github.com/phpmyadmin/phpmyadmin/commit/cb7748ac9cffcd1cd0f3081499cd4aafa9d1065e https://github.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-2042
https://notcve.org/view.php?id=CVE-2016-2042
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 permite a atacantes remotos obtener información sensible a través de una petición manipulada a (1) libraries/phpseclib/Crypt/AES.php o (2) libraries/phpseclib/Crypt/Rijndael.php, lo cual revela la ruta completa en un mensaje de error. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.phpmyadmin.net/home_page/security/PMASA-2016-6.php https://github.com/phpmyadmin/phpmyadmin/commit/5a3de108f26e4b0dddadddbe8ccdb1dd5526771f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-2043
https://notcve.org/view.php?id=CVE-2016-2043
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. Vulnerabilidad de XSS en la función goToFinish1NF en js/normalization.js en phpMyAdmin 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de tabla en la página de normalización. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.phpmyadmin.net/home_page/security/PMASA-2016-7.php https://github.com/phpmyadmin/phpmyadmin/commit/019c4f25d500ec5db9ba3b84cc961a7e4e850738 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2038
https://notcve.org/view.php?id=CVE-2016-2038
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. phpMyAdmin 4.0.x en versiones anteriores a 4.0.10.13, 4.4.x en versiones anteriores a 4.4.15.3 y 4.5.x en versiones anteriores a 4.5.4 permite a atacantes remotos obtener información sensible a través de una petición manipulada, lo cual revela la ruta completa en un mensaje de error. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html http://www.phpmyadmin.net/home_page/security/PMASA-2016-1.php https://github.com/phpmyadmin/phpmyadmin/commit/447c88f4884fe30a25d38c331c31d820a19f8c93 https://github.com/phpmyadmin/phpmyadmin/commit/5aee5035646c4fc617564cb0d3d58c0435d64d81 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •