Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qdnh4LTh4eGYtNTQ5Nc4AAbYo
phpMyAdmin CSRF Vulnerability
An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Permalink: https://github.com/advisories/GHSA-jvxx-8xxf-5495JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qdnh4LTh4eGYtNTQ5Nc4AAbYo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00171
EPSS Percentile: 0.54514
Identifiers: GHSA-jvxx-8xxf-5495, CVE-2016-9866
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-9866
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-71
- https://web.archive.org/web/20210123194736/http://www.securityfocus.com/bid/94536
- https://github.com/advisories/GHSA-jvxx-8xxf-5495
Affected Packages
packagist:phpmyadmin/phpmyadmin
Dependent packages: 4Dependent repositories: 15
Downloads: 324,333 total
Affected Version Ranges: >= 4.0.0, < 4.0.10.18, >= 4.4.0, < 4.4.15.9, >= 4.6.0, < 4.6.5
Fixed in: 4.0.10.18, 4.4.15.9, 4.6.5
All affected versions: 4.0.0, 4.0.1-0.1, 4.0.1-0.2, 4.0.1-0.3, 4.0.1-0.4, 4.0.1-0.5, 4.0.1-0.6, 4.0.1-0.7, 4.0.1-0.8, 4.0.1-0.9
All unaffected versions: 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.2.0, 5.2.1