CVE-2016-2561

Name	CVE-2016-2561
Description	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-3627-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
phpmyadmin (PTS)	bullseye	4:5.0.4+dfsg2-2+deb11u1	fixed
	bookworm	4:5.2.1+dfsg-1	fixed
	sid, trixie	4:5.2.1+dfsg-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
phpmyadmin	source	wheezy	(not affected)
phpmyadmin	source	jessie	4:4.2.12-2+deb8u2		DSA-3627-1
phpmyadmin	source	(unstable)	4:4.5.5.1-1