CVE-2016-5099

Vulnerability

A cross-site scripting (XSS) vulnerability exists in phpMyAdmin versions 4.4.x prior to 4.4.15.6 and 4.6.x prior to 4.6.2 [1]. The flaw occurs when URL-encoded values are mishandled during double URL decoding in multi-submit operations, allowing special HTML characters to be injected and rendered in the page [2]. The vulnerable code path involves the PMA_getUrlParams and PMA_getQueryFromSelected functions, where urldecode() was applied to already-decoded input [2].

Exploitation

An attacker can craft a malicious URL containing double-encoded special characters. If an authenticated phpMyAdmin user visits this URL, the characters are decoded twice and displayed as raw HTML, enabling arbitrary script execution in the context of the victim's session [1]. No authentication is required for the attacker, but the victim must be logged into phpMyAdmin for the self-XSS to be effective.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML within the victim's phpMyAdmin session. This can lead to session hijacking, data theft, or unauthorized actions performed under the victim's privileges. The impact is limited to the phpMyAdmin interface and the database operations accessible to the victim user.

Mitigation

The vulnerability is fixed in phpMyAdmin 4.4.15.6 and 4.6.2 [1]. Users should upgrade to these versions or later. Patches are available in commit b061096 for the 4.6 branch and 78e7189 for the 4.4 branch [2]. The Gentoo security advisory (GLSA 201701-32) recommends upgrading to >=dev-db/phpmyadmin-4.6.5.1 [3]. No workaround is known, and the issue is not listed in CISA's Known Exploited Vulnerabilities catalog.