High severity7.5NVD Advisory· Published Jul 3, 2016· Updated May 6, 2026
CVE-2016-5739
CVE-2016-5739
Description
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.0.10.0, < 4.0.10.16 | 4.0.10.16 |
phpmyadmin/phpmyadminPackagist | >= 4.4.15.0, < 4.4.15.7 | 4.4.15.7 |
phpmyadmin/phpmyadminPackagist | >= 4.6.0, < 4.6.3 | 4.6.3 |
Patches
22f4950828ec2Update referrer <meta> to match current standards
1 file changed · +1 −1
libraries/Header.php+1 −1 modified@@ -639,7 +639,7 @@ private function _getHtmlStart() private function _getMetaTags() { $retval = '<meta charset="utf-8" />'; - $retval .= '<meta name="referrer" content="none" />'; + $retval .= '<meta name="referrer" content="no-referrer" />'; $retval .= '<meta name="robots" content="noindex,nofollow" />'; $retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">'; if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
1e5716cb96d4Add referrer CSP and <meta> tag
1 file changed · +4 −0
libraries/Header.php+4 −0 modified@@ -550,6 +550,7 @@ public function sendHttpHeaders() . $captcha_url . $GLOBALS['cfg']['CSPAllow'] . ";" + . "referrer no-referrer;" . "img-src 'self' data: " . $GLOBALS['cfg']['CSPAllow'] . $map_tile_urls @@ -561,6 +562,7 @@ public function sendHttpHeaders() . $captcha_url . $GLOBALS['cfg']['CSPAllow'] . ';' . "options inline-script eval-script;" + . "referrer no-referrer;" . "img-src 'self' data: " . $GLOBALS['cfg']['CSPAllow'] . $map_tile_urls @@ -575,6 +577,7 @@ public function sendHttpHeaders() . $captcha_url . $GLOBALS['cfg']['CSPAllow'] . " 'unsafe-inline' 'unsafe-eval';" + . "referrer no-referrer;" . "style-src 'self' 'unsafe-inline' " . $captcha_url . ';' @@ -636,6 +639,7 @@ private function _getHtmlStart() private function _getMetaTags() { $retval = '<meta charset="utf-8" />'; + $retval .= '<meta name="referrer" content="none" />'; $retval .= '<meta name="robots" content="noindex,nofollow" />'; $retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">'; if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/phpmyadmin/phpmyadmin/commit/1e5716cb96d46efc305381ae0da08e73fe340f05nvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/2f4950828ec241e8cbdcf13090c2582a6fa620cbnvdPatchWEB
- www.phpmyadmin.net/security/PMASA-2016-28/nvdPatchVendor Advisory
- github.com/advisories/GHSA-2p7v-jm8m-g3qqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-5739ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2016-06/msg00113.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2016-06/msg00114.htmlnvdWEB
- www.debian.org/security/2016/dsa-3627nvdWEB
- security.gentoo.org/glsa/201701-32nvdWEB
- web.archive.org/web/20200227223419/http://www.securityfocus.com/bid/91389ghsaWEB
- www.phpmyadmin.net/security/PMASA-2016-28ghsaWEB
- www.securityfocus.com/bid/91389nvd
News mentions
0No linked articles in our index yet.