CVE-2016-2045
Description
Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated XSS in phpMyAdmin's SQL editor (4.5.x < 4.5.4) via crafted SQL query that returns JSON data, allowing script injection.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the SQL editor of phpMyAdmin versions 4.5.x prior to 4.5.4. When a crafted SQL query triggers a JSON response, the Content-Type header was not set to application/json, causing the browser to interpret the response as HTML and execute injected scripts. The fix involves setting the correct Content-Type header and adding X-Content-Type-Options: nosniff to prevent content sniffing [1][2].
Exploitation
An attacker must be authenticated to phpMyAdmin and have the ability to execute SQL queries in the SQL editor. By crafting a SQL query that produces specially constructed output, the resulting response is served without the proper JSON Content-Type, allowing the injection of arbitrary web script or HTML that executes in the context of the user's session [2].
Impact
Successful exploitation leads to persistent or reflected cross-site scripting (XSS) within the phpMyAdmin interface. An attacker can execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, performing actions on behalf of the victim, or defacing the interface [1][2].
Mitigation
Upgrade to phpMyAdmin 4.5.4 or later, which includes commits 0a24f92d081033576bfdd9d4bdec1a54501734c1 and 11496890d7e21786cbfd9fd17ab968f498116b3f that correct the Content-Type header and add anti-sniffing headers [1][2]. No workaround is available for unpatched versions.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:*:*:*:*:*:*:*
- (no CPE)range: >= 4.5.0, < 4.5.4
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.phpmyadmin.net/home_page/security/PMASA-2016-9.phpnvdPatchVendor Advisory
- github.com/phpmyadmin/phpmyadmin/commit/0a24f92d081033576bfdd9d4bdec1a54501734c1nvdPatch
- github.com/phpmyadmin/phpmyadmin/commit/11496890d7e21786cbfd9fd17ab968f498116b3fnvdPatch
- lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.htmlnvdThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.htmlnvdThird Party Advisory
News mentions
0No linked articles in our index yet.