Fluid Attacks Database

Description

phpMyAdmin CSRF Vulnerability An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpmyadmin/phpmyadmin	>=4.6.0 <4.6.5 \|\| >=4.4.0 <4.4.15.9 \|\| >=4.0.0 <4.0.10.18	4.6.5, 4.4.15.9, 4.0.10.18
debian 13	phpmyadmin	>=0 <4:4.6.5.1-1	4:4.6.5.1-1
alpine v3.2	phpmyadmin	=3.3.10-r0 \|\| =3.3.10-r1 \|\| =3.3.10-r2 \|\| =3.4.11.1-r0 \|\| =3.4.9-r0 \|\| =4.0.0-r0 \|\| =4.0.1-r0 \|\| =4.0.10-r0 \|\| =4.0.2-r0 \|\| =4.0.3-r0 \|\| =4.0.4.1-r0 \|\| =4.0.4.2-r0 \|\| =4.0.5-r0 \|\| =4.0.6-r0 \|\| =4.0.7-r0 \|\| =4.0.8-r0 \|\| =4.0.8-r1 \|\| =4.0.8-r2 \|\| =4.0.9-r0 \|\| =4.1.11-r0 \|\| =4.1.12-r0 \|\| =4.1.13-r0 \|\| =4.1.14-r0 \|\| =4.1.4-r0 \|\| =4.1.5-r0 \|\| =4.1.6-r0 \|\| =4.1.7-r0 \|\| =4.1.8-r0 \|\| =4.1.9-r0 \|\| =4.2.0-r0 \|\| =4.2.1-r0 \|\| =4.2.10-r0 \|\| =4.2.10.1-r0 \|\| =4.2.11-r0 \|\| =4.2.12-r0 \|\| =4.2.13.1-r0 \|\| =4.2.2-r0 \|\| =4.2.3-r0 \|\| =4.2.4-r0 \|\| =4.2.5-r0 \|\| =4.2.6-r0 \|\| =4.2.7-r0 \|\| =4.2.7.1-r0 \|\| =4.2.8-r0 \|\| =4.2.8.1-r0 \|\| =4.2.9-r0 \|\| =4.2.9.1-r0 \|\| =4.3.0-r0 \|\| =4.3.1-r0 \|\| =4.3.10-r0 \|\| =4.3.11.1-r0 \|\| =4.3.12-r0 \|\| =4.3.13-r0 \|\| =4.3.3-r0 \|\| =4.3.4-r0 \|\| =4.3.5-r0 \|\| =4.3.7-r0 \|\| =4.3.8-r0 \|\| =4.3.9-r0 \|\| =4.4.1.1-r0 \|\| =4.4.15-r0 \|\| =4.4.15.1-r0 \|\| =4.4.15.4-r0 \|\| =4.4.15.7-r0 \|\| =4.4.15.8-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| >=0 <4.4.15.9-r0	4.4.15.9-r0
debian 12	phpmyadmin	>=0 <4:4.6.5.1-1	4:4.6.5.1-1
debian 11	phpmyadmin	>=0 <4:4.6.5.1-1	4:4.6.5.1-1
alpine v3.4	phpmyadmin	=3.3.10-r0 \|\| =3.3.10-r1 \|\| =3.3.10-r2 \|\| =3.4.11.1-r0 \|\| =3.4.9-r0 \|\| =4.0.0-r0 \|\| =4.0.1-r0 \|\| =4.0.10-r0 \|\| =4.0.2-r0 \|\| =4.0.3-r0 \|\| =4.0.4.1-r0 \|\| =4.0.4.2-r0 \|\| =4.0.5-r0 \|\| =4.0.6-r0 \|\| =4.0.7-r0 \|\| =4.0.8-r0 \|\| =4.0.8-r1 \|\| =4.0.8-r2 \|\| =4.0.9-r0 \|\| =4.1.11-r0 \|\| =4.1.12-r0 \|\| =4.1.13-r0 \|\| =4.1.14-r0 \|\| =4.1.4-r0 \|\| =4.1.5-r0 \|\| =4.1.6-r0 \|\| =4.1.7-r0 \|\| =4.1.8-r0 \|\| =4.1.9-r0 \|\| =4.2.0-r0 \|\| =4.2.1-r0 \|\| =4.2.10-r0 \|\| =4.2.10.1-r0 \|\| =4.2.11-r0 \|\| =4.2.12-r0 \|\| =4.2.13.1-r0 \|\| =4.2.2-r0 \|\| =4.2.3-r0 \|\| =4.2.4-r0 \|\| =4.2.5-r0 \|\| =4.2.6-r0 \|\| =4.2.7-r0 \|\| =4.2.7.1-r0 \|\| =4.2.8-r0 \|\| =4.2.8.1-r0 \|\| =4.2.9-r0 \|\| =4.2.9.1-r0 \|\| =4.3.0-r0 \|\| =4.3.1-r0 \|\| =4.3.10-r0 \|\| =4.3.11.1-r0 \|\| =4.3.12-r0 \|\| =4.3.13-r0 \|\| =4.3.3-r0 \|\| =4.3.4-r0 \|\| =4.3.5-r0 \|\| =4.3.7-r0 \|\| =4.3.8-r0 \|\| =4.3.9-r0 \|\| =4.4.1.1-r0 \|\| =4.4.10-r0 \|\| =4.4.12-r0 \|\| =4.4.15-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.4.9-r0 \|\| =4.5.0.2-r0 \|\| =4.5.1-r0 \|\| =4.5.4-r0 \|\| =4.5.4.1-r0 \|\| =4.5.5-r0 \|\| =4.5.5.1-r0 \|\| =4.6.0-r0 \|\| =4.6.0-r1 \|\| =4.6.1-r0 \|\| =4.6.2-r0 \|\| =4.6.3-r0 \|\| =4.6.4-r0 \|\| >=0 <4.6.5.2-r0	4.6.5.2-r0

Aliases

1. CVE-2016-98662. NVD-2016-98663. OSV-2016-98664. OSV-DEBIAN-2016-98665. OSV-ALPINE-2016-98666. GCVE-2016-98667. security.gentoo.org8. SECURITY-TRACKER-CVE-2016-98669. SECURITY-CVE-2016-9866

References

1. https://web.archive.org/web/20210123194736/http://www.securityfocus.com/bid/945362. https://www.phpmyadmin.net/security/PMASA-2016-71