VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Dec 11, 2016· Updated May 6, 2026

CVE-2016-6615

CVE-2016-6615

Description

XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple XSS vulnerabilities in phpMyAdmin navigation, tracking, and GIS features allow specially-crafted inputs to execute JavaScript; versions prior to 4.6.4 and 4.4.15.8 are affected.

Vulnerability

Cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin versions 4.6.x prior to 4.6.4 and 4.4.x prior to 4.4.15.8. The flaws affect the navigation pane and database/table hiding feature (a specially-crafted database name triggers XSS), the "Tracking" feature (a specially-crafted query triggers XSS), and the GIS visualization feature [1]. No authentication is required for the navigation pane vector; the Tracking and GIS features require a user with appropriate privileges to create or manipulate tracked queries or GIS data.

Exploitation

An attacker can exploit the navigation pane XSS by creating a database with a name containing malicious JavaScript, which executes when a logged-in administrator views the navigation tree. For the Tracking feature, an attacker with access to create or edit tracked SQL queries can inject script payloads that execute when the tracking status is reviewed. The GIS vulnerability allows injection through specially-crafted geometry data processed during visualization. No user interaction beyond normal browsing is required for the navigation vector, but the Tracking and GIS vectors require prior authenticated access to the phpMyAdmin interface [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's phpMyAdmin session, potentially leading to session hijacking, exposure of sensitive database credentials, or unauthorized SQL execution. The scope of compromise is limited to the phpMyAdmin interface, but the attacker could leverage the XSS to escalate privileges or exfiltrate data from the web application [1].

Mitigation

The vulnerabilities are fixed in phpMyAdmin versions 4.6.4 and 4.4.15.8 released on July 13, 2016 [1]. Users should upgrade immediately; no known workarounds are available [2]. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

References
  1. PMASA-2016-38
  2. Multiple vulnerabilities (GLSA 201701-32) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

35
  • PhpMyAdmin/phpMyAdmin34 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*+ 33 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:*
    • (no CPE)range: <=4.6.3, <=4.4.15.7
  • osv-coords
    pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    Range: < 4.6.5.2-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.