CVE-2016-5704
Description
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin 4.6.x before 4.6.3 has a stored XSS vulnerability on the table-structure page via a crafted comment.
Vulnerability
The table-structure page in phpMyAdmin 4.6.x versions prior to 4.6.3 is vulnerable to cross-site scripting (XSS) through user-supplied comments. An attacker can inject arbitrary web script or HTML that is stored and later rendered when a user views the table structure. All 4.6.x versions prior to 4.6.3 are affected [1], [3].
Exploitation
To exploit this vulnerability, an attacker needs the ability to add or modify a comment on a database table or column through the phpMyAdmin interface, which typically requires authenticated access with at least write privileges on the database. The crafted comment containing the malicious payload is then stored and executed in the context of the victim's session when they browse the table-structure page [1], [3].
Impact
Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the browser of a user viewing the table-structure page. This can lead to session hijacking, defacement, or theft of sensitive credentials displayed in the phpMyAdmin interface. The attack occurs within the authenticated session of the victim, potentially compromising the database management privileges of that user [1], [3].
Mitigation
The vulnerability is fixed in phpMyAdmin version 4.6.3, released on 2016-06-23. Users should upgrade to 4.6.3 or later, or apply the patch from commit 72213573182896bd6a6e5af5ba1881dd87c4a20b [1], [3]. No workarounds are documented; the recommended mitigation is updating to the patched version.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.6.0, < 4.6.3 | 4.6.3 |
Affected products
9cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- (no CPE)range: >=4.6.0, <=4.6.2
- ghsa-coords2 versions
>= 4.6.0, < 4.6.3+ 1 more
- (no CPE)range: >= 4.6.0, < 4.6.3
- (no CPE)range: < 4.6.5.2-1.1
Patches
1722135731828Fix XSS on table structure
1 file changed · +1 −1
templates/table/structure/display_table_stats.phtml+1 −1 modified@@ -3,7 +3,7 @@ <fieldset> <legend><?= __('Information'); ?></legend> <p> <strong> <?= __('Table comments: ') ?> </strong> - <?= isset($showtable['TABLE_COMMENT']) ? $showtable['TABLE_COMMENT'] : '';?> + <?= isset($showtable['TABLE_COMMENT']) ? htmlspecialchars($showtable['TABLE_COMMENT']) : '';?> </p> <a id="showusage"></a>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/phpmyadmin/phpmyadmin/commit/72213573182896bd6a6e5af5ba1881dd87c4a20bnvdPatchWEB
- www.phpmyadmin.net/security/PMASA-2016-20/nvdPatchVendor Advisory
- github.com/advisories/GHSA-gcvp-cwgw-wx8jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-5704ghsaADVISORY
- security.gentoo.org/glsa/201701-32nvdWEB
- www.phpmyadmin.net/security/PMASA-2016-20ghsaWEB
News mentions
0No linked articles in our index yet.