CVE-2016-5705
Description
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin before 4.4.15.7 and 4.6.3 contains multiple stored/reflected XSS flaws in user privileges, error console, central columns, bookmarks, and user groups.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin versions 4.4.x prior to 4.4.15.7 and 4.6.x prior to 4.6.3 [1][4]. The flaws occur in five distinct locations: (1) certificate data fields on the user privileges page, (2) an "invalid JSON" error message displayed in the error console, (3) a database name used in the central columns implementation, (4) a group name, and (5) a search name in the bookmarks implementation. All vectors allow injection of arbitrary web script or HTML [1].
Exploitation
An attacker needs to supply crafted input in one of the vulnerable fields. For the user privileges and group name vectors, the attacker must have privileges to edit those items; for the error console, the attacker can trigger an invalid JSON response and inject script into the error message; for central columns and bookmarks, the attacker needs to supply a malicious database or search name. The injected script executes in the context of the victim's browser when the page containing the unsanitized input is rendered. No special network position is required, as the attack is carried out via normal HTTP requests [2][3][4].
Impact
Successful exploitation allows a remote attacker to inject arbitrary web script or HTML, leading to potential theft of session cookies, credential harvesting, or defacement of the phpMyAdmin interface. The attack can be performed without authentication in some vectors (e.g., error console), while others require authenticated access. The impact is limited to the browser session of the victim user [1][2][3][4].
Mitigation
The phpMyAdmin project released fixes in versions 4.4.15.7 and 4.6.3 [1][4]. Users should upgrade to these or later versions. The commits addressing the issues are available in the official repository [2]. No workarounds are documented; upgrading is the recommended solution [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.4.0, < 4.4.15.7 | 4.4.15.7 |
phpmyadmin/phpmyadminPackagist | >= 4.6.0, < 4.6.3 | 4.6.3 |
Affected products
36cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*+ 30 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- ghsa-coords2 versions
>= 4.4.0, < 4.4.15.7+ 1 more
- (no CPE)range: >= 4.4.0, < 4.4.15.7
- (no CPE)range: < 4.6.5.2-1.1
Patches
557ae483bad33Escape database name when showing dialog
1 file changed · +1 −1
js/functions.js+1 −1 modified@@ -3534,7 +3534,7 @@ AJAX.registerOnload('functions.js', function () { var result_pointer = i; var search_in = '<input type="text" class="filter_rows" placeholder="' + PMA_messages.searchList + '">'; if (fields === '') { - fields = PMA_sprintf(PMA_messages.strEmptyCentralList, "'" + db + "'"); + fields = PMA_sprintf(PMA_messages.strEmptyCentralList, "'" + escapeHtml(db) + "'"); search_in = ''; } var seeMore = '';
36df83a97a7fEscape saved search name
1 file changed · +1 −1
libraries/DbQbe.php+1 −1 modified@@ -1900,7 +1900,7 @@ private function _getSavedSearchesField() } $html_output .= '</select>'; $html_output .= '<input type="text" name="searchName" id="searchName" ' - . 'value="' . $currentSearchName . '" />'; + . 'value="' . htmlspecialchars($currentSearchName) . '" />'; $html_output .= '<input type="hidden" name="action" id="action" value="" />'; $html_output .= '<input type="submit" name="saveSearch" id="saveSearch" ' . 'value="' . __('Create bookmark') . '" />';
0b7416c5f443Escape user group when displaying
1 file changed · +1 −1
libraries/server_privileges.lib.php+1 −1 modified@@ -3679,7 +3679,7 @@ function PMA_getHtmlTableBodyForUserRights($db_rights) if ($cfgRelation['menuswork']) { $html_output .= '<td class="usrGroup">' . "\n" . (isset($group_assignment[$host['User']]) - ? $group_assignment[$host['User']] + ? htmlspecialchars($group_assignment[$host['User']]) : '' ) . '</td>' . "\n";
364732e309ccEscape error message from server
1 file changed · +1 −1
js/console.js+1 −1 modified@@ -201,7 +201,7 @@ var PMA_console = { } catch (e) { console.log("Invalid JSON!" + e.message); if (AJAX.xhr && AJAX.xhr.status === 0 && AJAX.xhr.statusText !== 'abort') { - PMA_ajaxShowMessage($('<div />',{'class':'error','html':PMA_messages.strRequestFailed+' ( '+AJAX.xhr.statusText+' )'})); + PMA_ajaxShowMessage($('<div />',{'class':'error','html':PMA_messages.strRequestFailed+' ( '+escapeHtml(AJAX.xhr.statusText)+' )'})); AJAX.active = false; AJAX.xhr = null; }
03f73d483697Fix XSS on server privileges
1 file changed · +3 −3
libraries/server_privileges.lib.php+3 −3 modified@@ -806,7 +806,7 @@ function PMA_getHtmlForRequires($row) . 'REQUIRE CIPHER' . '</dfn></code></label>'; $html_output .= '<input type="text" name="ssl_cipher" id="text_ssl_cipher" ' - . 'value="' . (isset($row['ssl_cipher']) ? $row['ssl_cipher'] : '') . '" ' + . 'value="' . (isset($row['ssl_cipher']) ? htmlspecialchars($row['ssl_cipher']) : '') . '" ' . 'size=80" title="' . __( 'Requires that a specific cipher method be used for a connection.' @@ -826,7 +826,7 @@ function PMA_getHtmlForRequires($row) . 'REQUIRE ISSUER' . '</dfn></code></label>'; $html_output .= '<input type="text" name="x509_issuer" id="text_x509_issuer" ' - . 'value="' . (isset($row['x509_issuer']) ? $row['x509_issuer'] : '') . '" ' + . 'value="' . (isset($row['x509_issuer']) ? htmlspecialchars($row['x509_issuer']) : '') . '" ' . 'size=80" title="' . __( 'Requires that a valid X509 certificate issued by this CA be presented.' @@ -846,7 +846,7 @@ function PMA_getHtmlForRequires($row) . 'REQUIRE SUBJECT' . '</dfn></code></label>'; $html_output .= '<input type="text" name="x509_subject" id="text_x509_subject" ' - . 'value="' . (isset($row['x509_subject']) ? $row['x509_subject'] : '') + . 'value="' . (isset($row['x509_subject']) ? htmlspecialchars($row['x509_subject']) : '') . '" size=80" title="' . __( 'Requires that a valid X509 certificate with this subject be presented.'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/phpmyadmin/phpmyadmin/commit/03f73d48369703e0d3584699b08e24891c3295b8nvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/0b7416c5f4439ed3f11c023785f2d4c49a1b09fcnvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/364732e309cccb3fb56c938ed8d8bc0e04a3ca98nvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/36df83a97a7f140fdb008b727a94f882847c6a6fnvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/57ae483bad33059a885366d5445b7e1f6f29860anvdPatchWEB
- www.phpmyadmin.net/security/PMASA-2016-21/nvdPatchVendor Advisory
- github.com/advisories/GHSA-6q2j-8h8q-46mrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-5705ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2016-06/msg00113.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2016-06/msg00114.htmlnvdWEB
- www.debian.org/security/2016/dsa-3627nvdWEB
- security.gentoo.org/glsa/201701-32nvdWEB
- web.archive.org/web/20200227223416/http://www.securityfocus.com/bid/91378ghsaWEB
- www.phpmyadmin.net/security/PMASA-2016-21ghsaWEB
- www.securityfocus.com/bid/91378nvd
News mentions
0No linked articles in our index yet.