rpm package

opensuse/phpMyAdmin&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed

Vulnerabilities (163)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2016-6609	Hig	8.8	< 4.6.5.2-1.1	4.6.5.2-1.1	Dec 11, 2016	An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6608	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Dec 11, 2016	XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.
CVE-2016-6607	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Dec 11, 2016	XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; th
CVE-2016-6606	Hig	8.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Dec 11, 2016	An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same init
CVE-2016-5099	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 5, 2016	Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.
CVE-2016-5097	Med	5.3	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 5, 2016	phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
CVE-2016-5739	Hig	7.5	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an
CVE-2016-5734	Cri	9.8	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by
CVE-2016-5733	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege
CVE-2016-5732	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted t
CVE-2016-5731	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.
CVE-2016-5730	Med	5.3	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a mi
CVE-2016-5706	Hig	7.5	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter.
CVE-2016-5705	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "in
CVE-2016-5704	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.
CVE-2016-5703	Cri	9.8	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query.
CVE-2016-5702	Low	3.7	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.
CVE-2016-5701	Med	6.1	< 4.6.5.2-1.1	4.6.5.2-1.1	Jul 3, 2016	setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
CVE-2016-2562	Med	6.8	< 4.6.5.2-1.1	4.6.5.2-1.1	Mar 1, 2016	The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.
CVE-2016-2561	Med	5.4	< 4.6.5.2-1.1	4.6.5.2-1.1	Mar 1, 2016	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) te

CVE-2016-6609HigDec 11, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6608MedDec 11, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.
CVE-2016-6607MedDec 11, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; th
CVE-2016-6606HigDec 11, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same init
CVE-2016-5099MedJul 5, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.
CVE-2016-5097MedJul 5, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
CVE-2016-5739HigJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an
CVE-2016-5734CriJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by
CVE-2016-5733MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege
CVE-2016-5732MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted t
CVE-2016-5731MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.
CVE-2016-5730MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a mi
CVE-2016-5706HigJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter.
CVE-2016-5705MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "in
CVE-2016-5704MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.
CVE-2016-5703CriJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query.
CVE-2016-5702LowJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.
CVE-2016-5701MedJul 3, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
CVE-2016-2562MedMar 1, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.
CVE-2016-2561MedMar 1, 2016
affected < 4.6.5.2-1.1fixed 4.6.5.2-1.1
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) te

Page 5 of 9