Vulnerabilities > CVE-2016-4412 - 7PK - Security Features vulnerability in PHPmyadmin

047910
CVSS 4.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
network
high complexity
phpmyadmin
CWE-254
nessus
NVD
Published: 2016-12-11
Updated: 2017-07-01

Summary

An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected.

Vulnerable Configurations

Part Description Count
Application
Phpmyadmin
28

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-6576A8536B.NASL
    descriptionphpMyAdmin 4.6.5.1 (2016-11-26) =============================== A patch-level release fixing two small issues : - an issue affecting a small number of users using $cfg[
    last seen2020-06-05
    modified2016-12-05
    plugin id95490
    published2016-12-05
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95490
    titleFedora 25 : phpMyAdmin (2016-6576a8536b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-757.NASL
    descriptionVarious security issues where found and fixed in phpmyadmin in wheezy. CVE-2016-4412 / PMASA-2016-57 A user can be tricked in following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. CVE-2016-6626 / PMASA-2016-49 In the fix for PMASA-2016-57, we didn
    last seen2020-03-17
    modified2016-12-27
    plugin id96093
    published2016-12-27
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96093
    titleDebian DLA-757-1 : phpmyadmin security update
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6FE72178B2E311E68B2A6805CA0B3D42.NASL
    descriptionPlease reference CVE/URL list for details
    last seen2020-06-01
    modified2020-06-02
    plugin id95364
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95364
    titleFreeBSD : phpMyAdmin -- multiple vulnerabilities (6fe72178-b2e3-11e6-8b2a-6805ca0b3d42)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-7FC142DA66.NASL
    descriptionphpMyAdmin 4.6.5.1 (2016-11-26) =============================== A patch-level release fixing two small issues : - an issue affecting a small number of users using $cfg[
    last seen2020-06-05
    modified2016-12-08
    plugin id95613
    published2016-12-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95613
    titleFedora 23 : phpMyAdmin (2016-7fc142da66)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-2424EECA35.NASL
    descriptionphpMyAdmin 4.6.5.1 (2016-11-26) =============================== A patch-level release fixing two small issues : - an issue affecting a small number of users using $cfg[
    last seen2020-06-05
    modified2016-12-12
    plugin id95670
    published2016-12-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95670
    titleFedora 24 : phpMyAdmin (2016-2424eeca35)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-32.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-32 (phpMyAdmin: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers referenced below for details. Impact : A authenticated remote attacker could exploit these vulnerabilities to execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site Scripting attacks. In certain configurations, an unauthenticated remote attacker could cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96426
    published2017-01-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96426
    titleGLSA-201701-32 : phpMyAdmin: Multiple vulnerabilities

References