DescriptionMultiple CRLF injection vulnerabilities in PhpMyAdmin 2.7.0-pl2 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a phpMyAdmin cookie in (1) css/phpmyadmin.css.php, (2) db_create.php, (3) index.php, (4) left.php, (5) libraries/, (6) libraries/transformations/overview.php, (7) querywindow.php, (8) server_engines.php, and possibly other files.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)stretch4:4.6.6-4+deb9u1fixed
stretch (security)4:4.6.6-4+deb9u2fixed
bookworm, sid4:5.1.1+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcesarge(not affected)
phpmyadminsourceetch(not affected)
phpmyadminsource(unstable)(not affected)


- phpmyadmin <not-affected> (low; bug #404744)
[sarge] - phpmyadmin <not-affected> (doesn't use sessions at all)
[etch] - phpmyadmin <not-affected> (not exploitable with Etch's php versions)
not exploitable with PHP 5.1.2+ and 4.4.2+

Search for package or bug name: Reporting problems