CVE-2016-2560

CVSS V2 Medium 4.3 CVSS V3 Medium 6.1
Description
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.
Overview
  • CVE ID
  • CVE-2016-2560
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2016-03-01T11:59:02
  • Last Modified Date
  • 2016-12-03T03:25:37
Weakness Enumerations
CWE URL
CWE-79 http://cwe.mitre.org/data/definitions/79.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • CHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 6.1
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 2.7
References
Reference URL Reference Tags
https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f Patch
https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32 Patch
https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4 Patch
https://www.phpmyadmin.net/security/PMASA-2016-11/ Patch Vendor Advisory
https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc Patch
https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078 Patch
http://www.debian.org/security/2016/dsa-3627
http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2016-2560
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
History
Created Old Value New Value Data Type Notes
2022-05-10 10:01:10 Added to TrackCVE
2022-12-02 08:30:47 2016-03-01T11:59Z 2016-03-01T11:59:02 CVE Published Date updated
2022-12-02 08:30:47 2016-12-03T03:25:37 CVE Modified Date updated
2022-12-02 08:30:47 Modified Vulnerability Status updated