Medium severity6.1NVD Advisory· Published Jul 3, 2016· Updated May 6, 2026

CVE-2016-5701

Description

setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	>= 4.0.10.0, < 4.0.10.16	4.0.10.16
phpmyadmin/phpmyadminPackagist	>= 4.4.15.0, < 4.4.15.7	4.4.15.7
phpmyadmin/phpmyadminPackagist	>= 4.6.0, < 4.6.3	4.6.3

Affected products

PhpMyAdmin/phpMyAdmin59 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:*+ 58 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
OpenSUSE/openSUSE2 versions
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Patches

5633b1d57b23

Use javascript for redirection to https

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 15, 2016via ghsa

commit

1 file changed · +12 −15

setup/frames/index.inc.php+12 −15 modified

@@ -76,21 +76,18 @@
         . 'sensitive information, like passwords) is transferred unencrypted!'
     );
 
-    if (!empty($_SERVER['REQUEST_URI']) && !empty($_SERVER['HTTP_HOST'])) {
-        $link = htmlspecialchars(
-            'https://' .  $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
-        );
-        $text .= ' ';
-        $text .= PMA_sanitize(
-            sprintf(
-                __(
-                    'If your server is also configured to accept HTTPS requests '
-                    . 'follow [a@%s]this link[/a] to use a secure connection.'
-                ),
-                $link
-            )
-        );
-    }
+    $text .= ' <a href="#" onclick="window.location.href = \'https:\' + window.location.href.substring(window.location.protocol.length);">';
+
+    // Temporary workaround to use tranlated message in older releases
+    $text .= str_replace(
+        array('[a@%s]', '[/a]'),
+        array('', ''),
+        __(
+            'If your server is also configured to accept HTTPS requests '
+            . 'follow [a@%s]this link[/a] to use a secure connection.'
+        )
+    );
+    $text .= '</a>';
     PMA_messagesSet('notice', 'no_https', __('Insecure connection'), $text);
 }

1dca386505f3

Use javascript for redirection to https

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 15, 2016via ghsa

commit

1 file changed · +12 −15

setup/frames/index.inc.php+12 −15 modified

@@ -73,21 +73,18 @@
         . 'sensitive information, like passwords) is transferred unencrypted!'
     );
 
-    if (!empty($_SERVER['REQUEST_URI']) && !empty($_SERVER['HTTP_HOST'])) {
-        $link = htmlspecialchars(
-            'https://' .  $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
-        );
-        $text .= ' ';
-        $text .= PMA_sanitize(
-            sprintf(
-                __(
-                    'If your server is also configured to accept HTTPS requests '
-                    . 'follow [a@%s]this link[/a] to use a secure connection.'
-                ),
-                $link
-            )
-        );
-    }
+    $text .= ' <a href="#" onclick="window.location.href = \'https:\' + window.location.href.substring(window.location.protocol.length);">';
+
+    // Temporary workaround to use tranlated message in older releases
+    $text .= str_replace(
+        array('[a@%s]', '[/a]'),
+        array('', ''),
+        __(
+            'If your server is also configured to accept HTTPS requests '
+            . 'follow [a@%s]this link[/a] to use a secure connection.'
+        )
+    );
+    $text .= '</a>';
     PMA_messagesSet('notice', 'no_https', __('Insecure connection'), $text);
 }

bf7379771f4b

Use javascript for redirection to https

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 15, 2016via ghsa

commit

1 file changed · +9 −6

setup/frames/index.inc.php+9 −6 modified

@@ -59,12 +59,15 @@
 if (!$is_https) {
     $text = __('You are not using a secure connection; all data (including potentially sensitive information, like passwords) is transferred unencrypted!');
 
-    if (!empty($_SERVER['REQUEST_URI']) && !empty($_SERVER['HTTP_HOST'])) {
-        $link = 'https://' . htmlspecialchars($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
-        $strInsecureConnectionMsg2 = __('If your server is also configured to accept HTTPS requests follow [a@%s]this link[/a] to use a secure connection.');
-        $strInsecureConnectionMsg2 = sprintf($strInsecureConnectionMsg2, $link);
-        $text .= ' ' . PMA_lang($strInsecureConnectionMsg2);
-    }
+    $text .= ' <a href="#" onclick="window.location.href = \'https:\' + window.location.href.substring(window.location.protocol.length);">';
+
+    // Temporary workaround to use tranlated message in older releases
+    $text .= str_replace(
+        array('[a@%s]', '[/a]'),
+        array('', ''),
+        __('If your server is also configured to accept HTTPS requests follow [a@%s]this link[/a] to use a secure connection.')
+    );
+    $text .= '</a>';
     messages_set('notice', 'no_https', __('Insecure connection'), $text);
 }
 ?>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/phpmyadmin/phpmyadmin/commit/1dca386505f396f0c2035112a403cc80768a141fnvdPatchWEB
www.phpmyadmin.net/security/PMASA-2016-17/nvdPatchVendor Advisory
github.com/advisories/GHSA-rh74-5835-jpxpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-5701ghsaADVISORY
lists.opensuse.org/opensuse-updates/2016-06/msg00113.htmlnvdWEB
lists.opensuse.org/opensuse-updates/2016-06/msg00114.htmlnvdWEB
www.debian.org/security/2016/dsa-3627nvdWEB
github.com/phpmyadmin/phpmyadmin/commit/5633b1d57b23ddaa5a9a976a323c90c18d9be03dghsaWEB
github.com/phpmyadmin/phpmyadmin/commit/bf7379771f4b32e01f4af3b36f8ec6900288688eghsaWEB
security.gentoo.org/glsa/201701-32nvdWEB
web.archive.org/web/20200227223408/http://www.securityfocus.com/bid/91383ghsaWEB
www.phpmyadmin.net/security/PMASA-2016-17ghsaWEB
www.securityfocus.com/bid/91383nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000