VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Dec 11, 2016· Updated May 6, 2026

CVE-2016-9851

CVE-2016-9851

Description

An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted request parameter can bypass the logout timeout in phpMyAdmin 4.6.x before 4.6.5 and 4.4.x before 4.4.15.9.

Vulnerability

In phpMyAdmin, a crafted request parameter allows an attacker to bypass the configured logout timeout, effectively keeping an authenticated session alive indefinitely. This affects all 4.6.x versions prior to 4.6.5 and 4.4.x versions prior to 4.4.15.9 [1][3]. The vulnerability is categorized under CWE-661 (Improper Handling of Locking) [3].

Exploitation

An attacker needs an authenticated session token or must trick an authenticated user into visiting a crafted URL or submitting a crafted request parameter. By manipulating a request parameter, the timeout check is circumvented, preventing the session from expiring as intended. No additional authentication or privileges are required beyond the initial valid session [1][3].

Impact

Successful exploitation allows an attacker (or a malicious user) to maintain a phpMyAdmin session beyond the configured idle timeout. This could lead to unauthorized access if the session cookie is stolen or if the session remains active on a shared computer, increasing the risk of information disclosure or further compromise of the MySQL database managed by phpMyAdmin [1][3].

Mitigation

Fixed in phpMyAdmin versions 4.6.5 and 4.4.15.9, released on 2016-12-11 [1][3]. Users should upgrade to these versions or later. Specific patches are available in commits 8ee12d3 (4.4 branch) and fbad6b9 (4.6 branch) [3]. The Gentoo security advisory (GLSA 201701-32) also recommends upgrading to >=dev-db/phpmyadmin-4.6.5.1 [4]. No workaround is documented in the available references.

References
  1. NVD - CVE-2016-9851
  2. PMASA-2016-62
  3. Multiple vulnerabilities (GLSA 201701-32) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 4.6, < 4.6.54.6.5
phpmyadmin/phpmyadminPackagist
>= 4.4, < 4.4.15.94.4.15.9

Affected products

36
  • PhpMyAdmin/phpMyAdmin34 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*+ 33 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.4:*:*:*:*:*:*:*
    • (no CPE)range: >=4.4.0 <4.4.15.9 OR >=4.6.0 <4.6.5
  • ghsa-coords2 versions
    pkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
    >= 4.6, < 4.6.5+ 1 more
    • (no CPE)range: >= 4.6, < 4.6.5
    • (no CPE)range: < 4.6.5.2-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.