CVE-2016-6608
Description
XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.6.x before 4.6.4 allow attackers to inject arbitrary web script via crafted database names.
Vulnerability
Cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin versions 4.6.0 through 4.6.3 [1][3]. The flaws affect the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack [1][3].
Exploitation
An attacker must have the ability to create or rename a database with a malicious name containing JavaScript payloads. The attacker then needs to trick an authenticated phpMyAdmin user into visiting a page that displays the crafted database name, such as the database privilege check or partitioning removal interface [3]. No additional privileges beyond database creation are required.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's phpMyAdmin session. This could lead to session hijacking, defacement, or theft of sensitive information displayed in the interface [1][3].
Mitigation
The vulnerability is fixed in phpMyAdmin 4.6.4 and later [3]. Users should upgrade to version 4.6.4 or newer. The Gentoo security advisory recommends upgrading to at least 4.6.5.1 [4]. Patches are available via the referenced commits [3]. No workaround is documented.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.6, < 4.6.4 | 4.6.4 |
Affected products
10cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:*
- (no CPE)range: <4.6.4
- ghsa-coords2 versions
>= 4.6, < 4.6.4+ 1 more
- (no CPE)range: >= 4.6, < 4.6.4
- (no CPE)range: < 4.6.5.2-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.phpmyadmin.net/security/PMASA-2016-31nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-jfmj-27fp-qp67ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-6608ghsaADVISORY
- www.securityfocus.com/bid/93258nvdWEB
- security.gentoo.org/glsa/201701-32nvdWEB
News mentions
0No linked articles in our index yet.