Fluid Attacks Database

Description

phpMyAdmin cookie-attribute injection phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpmyadmin/phpmyadmin	>=4.6.0 <4.6.3	4.6.3
debian 11	phpmyadmin	>=0 <4:4.6.3-1	4:4.6.3-1
debian 12	phpmyadmin	>=0 <4:4.6.3-1	4:4.6.3-1
debian 13	phpmyadmin	>=0 <4:4.6.3-1	4:4.6.3-1

Aliases

1. CVE-2016-57022. NVD-2016-57023. OSV-2016-57024. OSV-DEBIAN-2016-57025. GCVE-2016-57026. security.gentoo.org7. SECURITY-TRACKER-CVE-2016-5702

References

1. https://github.com/phpmyadmin/phpmyadmin/commit/27caf5b46bd0890e576fea7bd7b166a0639fdf682. https://www.phpmyadmin.net/security/PMASA-2016-18

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.