Announcement-ID: PMASA-2016-11
Date: 2016-02-25
Multiple XSS vulnerabilities.
By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.
A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.
Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.
Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.
Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.
We consider this vulnerability to be non-critical.
Versions 4.0.x (prior to 4.0.10.15), 4.4.x (prior to 4.4.15.5) and 4.5.x (prior to 4.5.5.1) are affected.
Upgrade to phpMyAdmin 4.0.10.15, 4.4.15.4, 4.5.5.1, or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2560
The following commits have been made on the 4.5 branch to fix this issue:
The following commits have been made on the 4.4 branch to fix this issue:
The following commits have been made on the 4.0 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.