GHSA-jvxx-8xxf-5495

Source

https://github.com/advisories/GHSA-jvxx-8xxf-5495

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jvxx-8xxf-5495/GHSA-jvxx-8xxf-5495.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jvxx-8xxf-5495

Aliases

CVE-2016-9866

Published

2022-05-17T02:36:23Z

Modified

2024-02-16T08:12:18.394256Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

phpMyAdmin CSRF Vulnerability

Details

An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Database specific

{
    "nvd_published_at": "2016-12-11T03:00:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T21:44:50Z"
}

References

Affected packages

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

4.6.5

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.15.9

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.10.18

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.4.1

4.0.4.2

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.10.1

4.0.10.2

4.0.10.3

4.0.10.4

4.0.10.5

4.0.10.6

4.0.10.7

4.0.10.8

4.0.10.9