Bringing MySQL administration to the web

Download 5.2.3
Demo Donate

PMASA-2016-16

Announcement-ID: PMASA-2016-16

Date: 2016-05-25

Updated: 2016-05-26

Summary

Self XSS

Description

A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Updated to include CVE ID.

Severity

We consider this to be non-critical.

Affected Versions

Versions 4.4.x (prior to 4.4.15.6) and 4.6.x (prior to 4.6.2) are affected.

Solution

Upgrade to phpMyAdmin 4.4.15.6 or 4.6.2 or newer or apply patch listed below.

References

This issue was found thanks to Mozilla SOS program.

Assigned CVE IDs: CVE-2016-5099

CWE IDs: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

The following commits have been made on the 4.4 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.

Announcements