Advisories ยป MGASA-2016-0240

Updated phpmyadmin packages fix security vulnerability

Publication date: 05 Jul 2016
Modification date: 05 Jul 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5701 , CVE-2016-5703 , CVE-2016-5705 , CVE-2016-5706 , CVE-2016-5730 , CVE-2016-5731 , CVE-2016-5733 , CVE-2016-5739

Description

In phpMyAdmin before 4.4.15.7, a vulnerability was discovered that allows
a BBCode injection to setup script in case it's not accessed on https
(CVE-2016-5701).

In phpMyAdmin before 4.4.15.7, a vulnerability was discovered that allows
an SQL injection attack to run arbitrary commands as the control user
(CVE-2016-5703).

In phpMyAdmin before 4.4.15.7, XSS vulnerabilities were discovered in the
user privileges page, the error console, and the central columns, query
bookmarks, and user groups features (CVE-2016-5705).

In phpMyAdmin before 4.4.15.7, a Denial Of Service (DOS) attack was
discovered in the way phpMyAdmin loads some JavaScript files
(CVE-2016-5706).

In phpMyAdmin before 4.4.15.7, by specially crafting requests in the
following areas, it is possible to trigger phpMyAdmin to display a PHP
error message which contains the full path of the directory where
phpMyAdmin is installed (CVE-2016-5730).

In phpMyAdmin before 4.4.15.7, with a specially crafted request, it is
possible to trigger an XSS attack through the example OpenID
authentication script (CVE-2016-5731).

In phpMyAdmin before 4.4.15.7, XSS vulnerabilities were found through
specially crafted databases, in AJAX error handling, and in the
Transformation, Designer, charts, and zoom search features
(CVE-2016-5733).

In phpMyAdmin before 4.4.15.7, a vulnerability was reported where a
specially crafted Transformation could be used to leak information
including the authentication token. This could be used to direct a CSRF
attack against a user (CVE-2016-5739).

References

SRPMS

5/core