Announcement-ID: PMASA-2016-18
Date: 2016-06-23
Cookie attribute injection attack
A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies.
We consider this to be non-critical.
Properly configured server which sets PHP_SELF is not affected by this.
All 4.6.x versions (prior to 4.6.3) are affected
Upgrade to phpMyAdmin 4.6.3 or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-5702
CWE ids: CWE-661
The following commits have been made on the 4.6 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.