Vulnerabilities > Phpmyadmin > Phpmyadmin > 4.4.14.1

DATE CVE VULNERABILITY TITLE RISK
2016-07-03 CVE-2016-5739 Information Exposure vulnerability in multiple products
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php.
network
low complexity
opensuse phpmyadmin CWE-200
7.5
7.5
2016-07-03 CVE-2016-5734 Code Injection vulnerability in PHPmyadmin
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.
network
low complexity
phpmyadmin CWE-94
critical
 9.8
9.8
2016-07-03 CVE-2016-5733 Cross-site Scripting vulnerability in multiple products
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml.
network
low complexity
phpmyadmin opensuse CWE-79
6.1
6.1
2016-07-03 CVE-2016-5731 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.
network
low complexity
phpmyadmin opensuse CWE-79
6.1
6.1
2016-07-03 CVE-2016-5730 Information Exposure vulnerability in multiple products
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message.
network
low complexity
phpmyadmin opensuse CWE-200
5.3
5.3
2016-07-03 CVE-2016-5706 Resource Management Errors vulnerability in multiple products
js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter.
network
low complexity
phpmyadmin opensuse CWE-399
7.5
7.5
2016-07-03 CVE-2016-5705 Cross-site Scripting vulnerability in multiple products
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation.
network
low complexity
opensuse phpmyadmin CWE-79
6.1
6.1
2016-07-03 CVE-2016-5703 SQL Injection vulnerability in multiple products
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query.
network
low complexity
opensuse phpmyadmin CWE-89
critical
 9.8
9.8
2016-07-03 CVE-2016-5701 Injection vulnerability in multiple products
setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
network
low complexity
phpmyadmin opensuse CWE-74
6.1
6.1
2016-03-01 CVE-2016-2561 Cross-site Scripting vulnerability in PHPmyadmin
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.
network
low complexity
phpmyadmin CWE-79
5.4
5.4