Bugzilla – Bug 982128
VUL-0: CVE-2016-5099: phpMyAdmin: Self XSS (PMASA-2016-16)
Last modified: 2016-06-11 20:07:47 UTC
https://www.phpmyadmin.net/security/PMASA-2016-16/ Announcement-ID: PMASA-2016-16 Date: 2016-05-25 Updated: 2016-05-26 Summary: Self XSS Description: A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page. Affected Versions: Versions 4.4.x (prior to 4.4.15.6) and 4.6.x (prior to 4.6.2) are affected. Solution: Upgrade to phpMyAdmin 4.4.15.6 or 4.6.2 or newer or apply patch listed below. Assigned CVE ids: CVE-2016-5099 CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: b061096abd992801fbbd805ef6ff74e627528780 The following commits have been made on the 4.4 branch to fix this issue: 78e71897be0902eb1d5d3d30a33b4417cd7d4d87
This is an autogenerated message for OBS integration: This bug (982128) was mentioned in https://build.opensuse.org/request/show/398585 Factory / phpMyAdmin
I have made an maintenance request to 4.4.15.6, witch fix this issue.
openSUSE-SU-2016:1434-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 982128 CVE References: CVE-2016-5099 Sources used: openSUSE Leap 42.1 (src): phpMyAdmin-4.4.15.6-19.1 openSUSE 13.2 (src): phpMyAdmin-4.4.15.6-33.1
update to 4.4.15.6 does also fix: * PMASA-2016-15 (CVE-2016-5098, CWE-661) - File Traversal Protection Bypass on Error Reporting, see https://www.phpmyadmin.net/security/PMASA-2016-15/ * PMASA-2016-14 (CVE-2016-5097, CWE-661) - Sensitive Data in URL GET Query Parameters, see https://www.phpmyadmin.net/security/PMASA-2016-14/ see: https://www.phpmyadmin.net/news/2016/5/26/phpmyadmin-security-notifications-and-44156-released/ I will provide new updates ...
This is an autogenerated message for OBS integration: This bug (982128) was mentioned in https://build.opensuse.org/request/show/398776 13.2+42.1 / phpMyAdmin
(In reply to Christian Wittmer from comment #4) > update to 4.4.15.6 does also fix: > > * PMASA-2016-15 (CVE-2016-5098, CWE-661) > - File Traversal Protection Bypass on Error Reporting, see > https://www.phpmyadmin.net/security/PMASA-2016-15/ > * PMASA-2016-14 (CVE-2016-5097, CWE-661) > - Sensitive Data in URL GET Query Parameters, see > https://www.phpmyadmin.net/security/PMASA-2016-14/ > > see: > https://www.phpmyadmin.net/news/2016/5/26/phpmyadmin-security-notifications- > and-44156-released/ > > I will provide new updates ... Okay. But i am not stupid. Here stand nothing: - https://www.phpmyadmin.net/files/4.4.15.6/ - https://www.phpmyadmin.net/security/PMASA-2016-15/ - https://www.phpmyadmin.net/security/PMASA-2016-14/ - https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_4_15/ChangeLog
Nobody said you are stupid ... please don't feel offended I opened: https://github.com/phpmyadmin/phpmyadmin/issues/12280 to clarify.
(In reply to Christian Wittmer from comment #7) > Nobody said you are stupid ... please don't feel offended Nono. I'm not offended. :-) I missed only the right words. And i only would say that the sources for the changes are not clearly. > I opened: > https://github.com/phpmyadmin/phpmyadmin/issues/12280 Okay. This is a good idea.
I was wrong: https://github.com/phpmyadmin/phpmyadmin/issues/12280#issuecomment-222398150 sorry for being loud
openSUSE-SU-2016:1556-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 982128 CVE References: CVE-2016-5097,CVE-2016-5098,CVE-2016-5099 Sources used: openSUSE 13.1 (src): phpMyAdmin-4.4.15.6-57.1