CVE-2016-2560

NameCVE-2016-2560
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-481-1, DSA-3627-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)wheezy4:3.4.11.1-2+deb7u2vulnerable
wheezy (security)4:3.4.11.1-2+deb7u8fixed
jessie (security), jessie4:4.2.12-2+deb8u2fixed
stretch4:4.6.6-4fixed
buster, sid4:4.6.6-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsource(unstable)4:4.5.5.1-1low
phpmyadminsourcejessie4:4.2.12-2+deb8u2mediumDSA-3627-1
phpmyadminsourcewheezy4:3.4.11.1-2+deb7u3mediumDLA-481-1

Notes

7ddce5e39a4e12cd351732955394bc7055c280eb: file not present, vulnerability not found in wheezy
0667ea8ac7519d7e642eade2686dc393d5faeae3: vulnerability present in 3.4.3.1, but code mysteriously not found in wheezy
fe3be9f4b9edd54dc39919e7dfeaaf4a67c1cf83: vulnerability introduced in 052fd61f (3.5.1)
b8f1e0f325f8f32bd82af64111d8c2e9055a363c and 73c8245a3d1893a710447957e28dcfb18d9b47ad present in wheezy and later, patch in lists.debian.org/87lh4fpyap.fsf@angela.anarcat.ath.cx

Search for package or bug name: Reporting problems