VIR Vulnerability Intelligence Relay

CVE-2016-5705

medium
Published 2016-07-03 · Modified 2025-04-14
CVSS v3
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v2
4.3
VIR risk
6.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation.

Predictions

Exploit likelihood
71%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-5705

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.phpmyadmin.net/security/PMASA-2016-21/

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/phpmyadmin/phpmyadmin/commit/57ae483bad33059a885366d5445b7e1f6f29860a

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/phpmyadmin/phpmyadmin/commit/36df83a97a7f140fdb008b727a94f882847c6a6f

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/phpmyadmin/phpmyadmin/commit/364732e309cccb3fb56c938ed8d8bc0e04a3ca98

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/phpmyadmin/phpmyadmin/commit/0b7416c5f4439ed3f11c023785f2d4c49a1b09fc

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/phpmyadmin/phpmyadmin/commit/03f73d48369703e0d3584699b08e24891c3295b8

OS impact
OSVersionStatusFixed in
suse suse42.1affected
suse suse13.1affected
suse suse13.2affected
debian debianbookwormfixed4:4.6.3-1
debian debianbullseyefixed4:4.6.3-1
debian debiansidfixed4:4.6.3-1
debian debiantrixiefixed4:4.6.3-1

Package impact
EcosystemPackageVulnerableFixed
php Packagistphpmyadmin/phpmyadmin>=4.4.0,<4.4.15.74.4.15.7
php Packagistphpmyadmin/phpmyadmin>=4.6.0,<4.6.34.6.3

Application impact
VendorProductVersionsFixed
phpmyadminphpmyadmin4.6.0
phpmyadminphpmyadmin4.6.1
phpmyadminphpmyadmin4.6.2
phpmyadminphpmyadmin4.4.0
phpmyadminphpmyadmin4.4.1
phpmyadminphpmyadmin4.4.1.1
phpmyadminphpmyadmin4.4.2
phpmyadminphpmyadmin4.4.3
phpmyadminphpmyadmin4.4.4
phpmyadminphpmyadmin4.4.5
phpmyadminphpmyadmin4.4.6
phpmyadminphpmyadmin4.4.6.1
phpmyadminphpmyadmin4.4.7
phpmyadminphpmyadmin4.4.8
phpmyadminphpmyadmin4.4.9
phpmyadminphpmyadmin4.4.10
phpmyadminphpmyadmin4.4.11
phpmyadminphpmyadmin4.4.12
phpmyadminphpmyadmin4.4.13
phpmyadminphpmyadmin4.4.13.1
phpmyadminphpmyadmin4.4.14.1
phpmyadminphpmyadmin4.4.15
phpmyadminphpmyadmin4.4.15.1
phpmyadminphpmyadmin4.4.15.2
phpmyadminphpmyadmin4.4.15.3
phpmyadminphpmyadmin4.4.15.4
phpmyadminphpmyadmin4.4.15.5
phpmyadminphpmyadmin4.4.15.6

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.