Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qdnh4LTh4eGYtNTQ5Nc4AAbYo
phpMyAdmin CSRF Vulnerability
An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Permalink: https://github.com/advisories/GHSA-jvxx-8xxf-5495JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qdnh4LTh4eGYtNTQ5Nc4AAbYo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jvxx-8xxf-5495, CVE-2016-9866
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-9866
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-71
- https://web.archive.org/web/20210123194736/http://www.securityfocus.com/bid/94536
- https://github.com/advisories/GHSA-jvxx-8xxf-5495
Affected Packages
packagist:phpmyadmin/phpmyadmin
Dependent packages: 4Dependent repositories: 15
Downloads: 297,418 total
Affected Version Ranges: >= 4.0.0, < 4.0.10.18, >= 4.4.0, < 4.4.15.9, >= 4.6.0, < 4.6.5
Fixed in: 4.0.10.18, 4.4.15.9, 4.6.5
All affected versions: 4.0.0, 4.0.1-0.1, 4.0.1-0.2, 4.0.1-0.3, 4.0.1-0.4, 4.0.1-0.5, 4.0.1-0.6, 4.0.1-0.7, 4.0.1-0.8, 4.0.1-0.9
All unaffected versions: 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.2.0, 5.2.1