Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qdnh4LTh4eGYtNTQ5Nc4AAbYo

phpMyAdmin CSRF Vulnerability

An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Permalink: https://github.com/advisories/GHSA-jvxx-8xxf-5495
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qdnh4LTh4eGYtNTQ5Nc4AAbYo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00171
EPSS Percentile: 0.54514

Identifiers: GHSA-jvxx-8xxf-5495, CVE-2016-9866
References: Blast Radius: 11.5

Affected Packages

packagist:phpmyadmin/phpmyadmin
Dependent packages: 4
Dependent repositories: 15
Downloads: 324,333 total
Affected Version Ranges: >= 4.0.0, < 4.0.10.18, >= 4.4.0, < 4.4.15.9, >= 4.6.0, < 4.6.5
Fixed in: 4.0.10.18, 4.4.15.9, 4.6.5
All affected versions: 4.0.0, 4.0.1-0.1, 4.0.1-0.2, 4.0.1-0.3, 4.0.1-0.4, 4.0.1-0.5, 4.0.1-0.6, 4.0.1-0.7, 4.0.1-0.8, 4.0.1-0.9
All unaffected versions: 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.2.0, 5.2.1