phpMyAdmin-4.6.5.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10054-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z phpMyAdmin-4.6.5.2-1.1 on GA media These are all security issues fixed in the phpMyAdmin-4.6.5.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10054 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-4107/ SUSE CVE CVE-2011-4107 page https://www.suse.com/security/cve/CVE-2011-4634/ SUSE CVE CVE-2011-4634 page https://www.suse.com/security/cve/CVE-2011-4780/ SUSE CVE CVE-2011-4780 page https://www.suse.com/security/cve/CVE-2011-4782/ SUSE CVE CVE-2011-4782 page https://www.suse.com/security/cve/CVE-2012-4219/ SUSE CVE CVE-2012-4219 page https://www.suse.com/security/cve/CVE-2012-4345/ SUSE CVE CVE-2012-4345 page https://www.suse.com/security/cve/CVE-2012-5339/ SUSE CVE CVE-2012-5339 page https://www.suse.com/security/cve/CVE-2012-5368/ SUSE CVE CVE-2012-5368 page https://www.suse.com/security/cve/CVE-2013-1937/ SUSE CVE CVE-2013-1937 page https://www.suse.com/security/cve/CVE-2013-3238/ SUSE CVE CVE-2013-3238 page https://www.suse.com/security/cve/CVE-2013-3239/ SUSE CVE CVE-2013-3239 page https://www.suse.com/security/cve/CVE-2013-3240/ SUSE CVE CVE-2013-3240 page https://www.suse.com/security/cve/CVE-2013-3241/ SUSE CVE CVE-2013-3241 page https://www.suse.com/security/cve/CVE-2013-3242/ SUSE CVE CVE-2013-3242 page https://www.suse.com/security/cve/CVE-2013-4729/ SUSE CVE CVE-2013-4729 page https://www.suse.com/security/cve/CVE-2013-4995/ SUSE CVE CVE-2013-4995 page https://www.suse.com/security/cve/CVE-2013-4996/ SUSE CVE CVE-2013-4996 page https://www.suse.com/security/cve/CVE-2013-4997/ SUSE CVE CVE-2013-4997 page https://www.suse.com/security/cve/CVE-2013-4998/ SUSE CVE CVE-2013-4998 page https://www.suse.com/security/cve/CVE-2013-4999/ SUSE CVE CVE-2013-4999 page https://www.suse.com/security/cve/CVE-2013-5000/ SUSE CVE CVE-2013-5000 page https://www.suse.com/security/cve/CVE-2013-5001/ SUSE CVE CVE-2013-5001 page https://www.suse.com/security/cve/CVE-2013-5002/ SUSE CVE CVE-2013-5002 page https://www.suse.com/security/cve/CVE-2013-5003/ SUSE CVE CVE-2013-5003 page https://www.suse.com/security/cve/CVE-2013-5029/ SUSE CVE CVE-2013-5029 page https://www.suse.com/security/cve/CVE-2014-1879/ SUSE CVE CVE-2014-1879 page https://www.suse.com/security/cve/CVE-2014-4348/ SUSE CVE CVE-2014-4348 page https://www.suse.com/security/cve/CVE-2014-4349/ SUSE CVE CVE-2014-4349 page https://www.suse.com/security/cve/CVE-2014-4954/ SUSE CVE CVE-2014-4954 page https://www.suse.com/security/cve/CVE-2014-4955/ SUSE CVE CVE-2014-4955 page https://www.suse.com/security/cve/CVE-2014-4986/ SUSE CVE CVE-2014-4986 page https://www.suse.com/security/cve/CVE-2014-4987/ SUSE CVE CVE-2014-4987 page https://www.suse.com/security/cve/CVE-2014-5273/ SUSE CVE CVE-2014-5273 page https://www.suse.com/security/cve/CVE-2014-5274/ SUSE CVE CVE-2014-5274 page https://www.suse.com/security/cve/CVE-2014-6300/ SUSE CVE CVE-2014-6300 page https://www.suse.com/security/cve/CVE-2014-7217/ SUSE CVE CVE-2014-7217 page https://www.suse.com/security/cve/CVE-2014-8326/ SUSE CVE CVE-2014-8326 page https://www.suse.com/security/cve/CVE-2014-8958/ SUSE CVE CVE-2014-8958 page https://www.suse.com/security/cve/CVE-2014-8959/ SUSE CVE CVE-2014-8959 page https://www.suse.com/security/cve/CVE-2014-8960/ SUSE CVE CVE-2014-8960 page https://www.suse.com/security/cve/CVE-2014-8961/ SUSE CVE CVE-2014-8961 page https://www.suse.com/security/cve/CVE-2014-9218/ SUSE CVE CVE-2014-9218 page https://www.suse.com/security/cve/CVE-2014-9219/ SUSE CVE CVE-2014-9219 page https://www.suse.com/security/cve/CVE-2015-2206/ SUSE CVE CVE-2015-2206 page https://www.suse.com/security/cve/CVE-2015-3902/ SUSE CVE CVE-2015-3902 page https://www.suse.com/security/cve/CVE-2015-3903/ SUSE CVE CVE-2015-3903 page https://www.suse.com/security/cve/CVE-2015-6830/ SUSE CVE CVE-2015-6830 page https://www.suse.com/security/cve/CVE-2015-7873/ SUSE CVE CVE-2015-7873 page https://www.suse.com/security/cve/CVE-2015-8669/ SUSE CVE CVE-2015-8669 page https://www.suse.com/security/cve/CVE-2016-1927/ SUSE CVE CVE-2016-1927 page https://www.suse.com/security/cve/CVE-2016-2038/ SUSE CVE CVE-2016-2038 page https://www.suse.com/security/cve/CVE-2016-2039/ SUSE CVE CVE-2016-2039 page https://www.suse.com/security/cve/CVE-2016-2040/ SUSE CVE CVE-2016-2040 page https://www.suse.com/security/cve/CVE-2016-2041/ SUSE CVE CVE-2016-2041 page https://www.suse.com/security/cve/CVE-2016-2042/ SUSE CVE CVE-2016-2042 page https://www.suse.com/security/cve/CVE-2016-2043/ SUSE CVE CVE-2016-2043 page https://www.suse.com/security/cve/CVE-2016-2044/ SUSE CVE CVE-2016-2044 page https://www.suse.com/security/cve/CVE-2016-2045/ SUSE CVE CVE-2016-2045 page https://www.suse.com/security/cve/CVE-2016-2559/ SUSE CVE CVE-2016-2559 page https://www.suse.com/security/cve/CVE-2016-2560/ SUSE CVE CVE-2016-2560 page https://www.suse.com/security/cve/CVE-2016-2561/ SUSE CVE CVE-2016-2561 page https://www.suse.com/security/cve/CVE-2016-2562/ SUSE CVE CVE-2016-2562 page https://www.suse.com/security/cve/CVE-2016-5097/ SUSE CVE CVE-2016-5097 page https://www.suse.com/security/cve/CVE-2016-5099/ SUSE CVE CVE-2016-5099 page https://www.suse.com/security/cve/CVE-2016-5701/ SUSE CVE CVE-2016-5701 page https://www.suse.com/security/cve/CVE-2016-5702/ SUSE CVE CVE-2016-5702 page https://www.suse.com/security/cve/CVE-2016-5703/ SUSE CVE CVE-2016-5703 page https://www.suse.com/security/cve/CVE-2016-5704/ SUSE CVE CVE-2016-5704 page https://www.suse.com/security/cve/CVE-2016-5705/ SUSE CVE CVE-2016-5705 page https://www.suse.com/security/cve/CVE-2016-5706/ SUSE CVE CVE-2016-5706 page https://www.suse.com/security/cve/CVE-2016-5730/ SUSE CVE CVE-2016-5730 page https://www.suse.com/security/cve/CVE-2016-5731/ SUSE CVE CVE-2016-5731 page https://www.suse.com/security/cve/CVE-2016-5732/ SUSE CVE CVE-2016-5732 page https://www.suse.com/security/cve/CVE-2016-5733/ SUSE CVE CVE-2016-5733 page https://www.suse.com/security/cve/CVE-2016-5734/ SUSE CVE CVE-2016-5734 page https://www.suse.com/security/cve/CVE-2016-5739/ SUSE CVE CVE-2016-5739 page https://www.suse.com/security/cve/CVE-2016-6606/ SUSE CVE CVE-2016-6606 page https://www.suse.com/security/cve/CVE-2016-6607/ SUSE CVE CVE-2016-6607 page https://www.suse.com/security/cve/CVE-2016-6608/ SUSE CVE CVE-2016-6608 page https://www.suse.com/security/cve/CVE-2016-6609/ SUSE CVE CVE-2016-6609 page https://www.suse.com/security/cve/CVE-2016-6610/ SUSE CVE CVE-2016-6610 page https://www.suse.com/security/cve/CVE-2016-6611/ SUSE CVE CVE-2016-6611 page https://www.suse.com/security/cve/CVE-2016-6612/ SUSE CVE CVE-2016-6612 page https://www.suse.com/security/cve/CVE-2016-6613/ SUSE CVE CVE-2016-6613 page https://www.suse.com/security/cve/CVE-2016-6614/ SUSE CVE CVE-2016-6614 page https://www.suse.com/security/cve/CVE-2016-6615/ SUSE CVE CVE-2016-6615 page https://www.suse.com/security/cve/CVE-2016-6616/ SUSE CVE CVE-2016-6616 page https://www.suse.com/security/cve/CVE-2016-6617/ SUSE CVE CVE-2016-6617 page https://www.suse.com/security/cve/CVE-2016-6618/ SUSE CVE CVE-2016-6618 page https://www.suse.com/security/cve/CVE-2016-6619/ SUSE CVE CVE-2016-6619 page https://www.suse.com/security/cve/CVE-2016-6620/ SUSE CVE CVE-2016-6620 page https://www.suse.com/security/cve/CVE-2016-6621/ SUSE CVE CVE-2016-6621 page https://www.suse.com/security/cve/CVE-2016-6622/ SUSE CVE CVE-2016-6622 page https://www.suse.com/security/cve/CVE-2016-6623/ SUSE CVE CVE-2016-6623 page https://www.suse.com/security/cve/CVE-2016-6624/ SUSE CVE CVE-2016-6624 page https://www.suse.com/security/cve/CVE-2016-6625/ SUSE CVE CVE-2016-6625 page https://www.suse.com/security/cve/CVE-2016-6626/ SUSE CVE CVE-2016-6626 page https://www.suse.com/security/cve/CVE-2016-6627/ SUSE CVE CVE-2016-6627 page https://www.suse.com/security/cve/CVE-2016-6628/ SUSE CVE CVE-2016-6628 page https://www.suse.com/security/cve/CVE-2016-6629/ SUSE CVE CVE-2016-6629 page https://www.suse.com/security/cve/CVE-2016-6630/ SUSE CVE CVE-2016-6630 page https://www.suse.com/security/cve/CVE-2016-6631/ SUSE CVE CVE-2016-6631 page https://www.suse.com/security/cve/CVE-2016-6632/ SUSE CVE CVE-2016-6632 page https://www.suse.com/security/cve/CVE-2016-6633/ SUSE CVE CVE-2016-6633 page https://www.suse.com/security/cve/CVE-2016-9847/ SUSE CVE CVE-2016-9847 page https://www.suse.com/security/cve/CVE-2016-9848/ SUSE CVE CVE-2016-9848 page https://www.suse.com/security/cve/CVE-2016-9849/ SUSE CVE CVE-2016-9849 page https://www.suse.com/security/cve/CVE-2016-9850/ SUSE CVE CVE-2016-9850 page https://www.suse.com/security/cve/CVE-2016-9851/ SUSE CVE CVE-2016-9851 page https://www.suse.com/security/cve/CVE-2016-9852/ SUSE CVE CVE-2016-9852 page https://www.suse.com/security/cve/CVE-2016-9853/ SUSE CVE CVE-2016-9853 page https://www.suse.com/security/cve/CVE-2016-9854/ SUSE CVE CVE-2016-9854 page https://www.suse.com/security/cve/CVE-2016-9855/ SUSE CVE CVE-2016-9855 page https://www.suse.com/security/cve/CVE-2016-9856/ SUSE CVE CVE-2016-9856 page https://www.suse.com/security/cve/CVE-2016-9857/ SUSE CVE CVE-2016-9857 page https://www.suse.com/security/cve/CVE-2016-9858/ SUSE CVE CVE-2016-9858 page https://www.suse.com/security/cve/CVE-2016-9859/ SUSE CVE CVE-2016-9859 page https://www.suse.com/security/cve/CVE-2016-9860/ SUSE CVE CVE-2016-9860 page https://www.suse.com/security/cve/CVE-2016-9861/ SUSE CVE CVE-2016-9861 page https://www.suse.com/security/cve/CVE-2016-9862/ SUSE CVE CVE-2016-9862 page https://www.suse.com/security/cve/CVE-2016-9863/ SUSE CVE CVE-2016-9863 page https://www.suse.com/security/cve/CVE-2016-9864/ SUSE CVE CVE-2016-9864 page https://www.suse.com/security/cve/CVE-2016-9865/ SUSE CVE CVE-2016-9865 page https://www.suse.com/security/cve/CVE-2016-9866/ SUSE CVE CVE-2016-9866 page openSUSE Tumbleweed phpMyAdmin-4.6.5.2-1.1 phpMyAdmin-4.6.5.2-1.1 as a component of openSUSE Tumbleweed The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. CVE-2011-4107 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4107.html CVE-2011-4107 https://bugzilla.suse.com/728243 SUSE Bug 728243 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog. CVE-2011-4634 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4634.html CVE-2011-4634 https://bugzilla.suse.com/736772 SUSE Bug 736772 Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections. CVE-2011-4780 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4780.html CVE-2011-4780 https://bugzilla.suse.com/738411 SUSE Bug 738411 Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter. CVE-2011-4782 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4782.html CVE-2011-4782 https://bugzilla.suse.com/738411 SUSE Bug 738411 show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. CVE-2012-4219 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4219.html CVE-2012-4219 https://bugzilla.suse.com/776698 SUSE Bug 776698 Multiple cross-site scripting (XSS) vulnerabilities in the Database Structure page in phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name. CVE-2012-4345 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4345.html CVE-2012-4345 https://bugzilla.suse.com/776701 SUSE Bug 776701 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger. CVE-2012-5339 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5339.html CVE-2012-5339 https://bugzilla.suse.com/788103 SUSE Bug 788103 phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code. CVE-2012-5368 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5368.html CVE-2012-5368 https://bugzilla.suse.com/788103 SUSE Bug 788103 ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a third party reports that this is "not exploitable." CVE-2013-1937 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1937.html CVE-2013-1937 https://bugzilla.suse.com/814678 SUSE Bug 814678 phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature. CVE-2013-3238 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-3238.html CVE-2013-3238 https://bugzilla.suse.com/824301 SUSE Bug 824301 phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. CVE-2013-3239 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-3239.html CVE-2013-3239 https://bugzilla.suse.com/824302 SUSE Bug 824302 Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type. CVE-2013-3240 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-3240.html CVE-2013-3240 https://bugzilla.suse.com/824304 SUSE Bug 824304 export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request. CVE-2013-3241 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-3241.html CVE-2013-3241 https://bugzilla.suse.com/824305 SUSE Bug 824305 plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors. CVE-2013-3242 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5.5 AV:N/AC:L/Au:S/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-3242.html CVE-2013-3242 import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. CVE-2013-4729 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5.5 AV:N/AC:L/Au:S/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4729.html CVE-2013-4729 https://bugzilla.suse.com/828319 SUSE Bug 828319 Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information. CVE-2013-4995 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4995.html CVE-2013-4995 https://bugzilla.suse.com/843671 SUSE Bug 843671 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted database name, (2) a crafted user name, (3) a crafted logo URL in the navigation panel, (4) a crafted entry in a certain proxy list, or (5) crafted content in a version.json file. CVE-2013-4996 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4996.html CVE-2013-4996 https://bugzilla.suse.com/843671 SUSE Bug 843671 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. CVE-2013-4997 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4997.html CVE-2013-4997 https://bugzilla.suse.com/843671 SUSE Bug 843671 phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to pmd_common.php and other files. CVE-2013-4998 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4998.html CVE-2013-4998 https://bugzilla.suse.com/843671 SUSE Bug 843671 phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. CVE-2013-4999 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4999.html CVE-2013-4999 https://bugzilla.suse.com/843671 SUSE Bug 843671 phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to config.default.php and other files. CVE-2013-5000 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5000.html CVE-2013-5000 https://bugzilla.suse.com/843671 SUSE Bug 843671 Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link. CVE-2013-5001 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5001.html CVE-2013-5001 https://bugzilla.suse.com/843671 SUSE Bug 843671 Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. CVE-2013-5002 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5002.html CVE-2013-5002 https://bugzilla.suse.com/843671 SUSE Bug 843671 Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to execute arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php. CVE-2013-5003 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5003.html CVE-2013-5003 https://bugzilla.suse.com/843671 SUSE Bug 843671 phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to bypass the clickjacking protection mechanism via certain vectors related to Header.class.php. CVE-2013-5029 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5029.html CVE-2013-5029 https://bugzilla.suse.com/833731 SUSE Bug 833731 Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action. CVE-2014-1879 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1879.html CVE-2014-1879 https://bugzilla.suse.com/864917 SUSE Bug 864917 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables. CVE-2014-4348 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4348.html CVE-2014-4348 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action. CVE-2014-4349 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4349.html CVE-2014-4349 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page. CVE-2014-4954 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4954.html CVE-2014-4954 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page. CVE-2014-4955 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4955.html CVE-2014-4955 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. CVE-2014-4986 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4986.html CVE-2014-4986 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. CVE-2014-4987 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4987.html CVE-2014-4987 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php. CVE-2014-5273 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-5273.html CVE-2014-5273 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js. CVE-2014-5274 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-5274.html CVE-2014-5274 https://bugzilla.suse.com/892310 SUSE Bug 892310 https://bugzilla.suse.com/892401 SUSE Bug 892401 Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. CVE-2014-6300 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-6300.html CVE-2014-6300 https://bugzilla.suse.com/896635 SUSE Bug 896635 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php. CVE-2014-7217 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7217.html CVE-2014-7217 https://bugzilla.suse.com/899452 SUSE Bug 899452 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server_status_monitor.js code for the server monitor page. CVE-2014-8326 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8326.html CVE-2014-8326 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page. CVE-2014-8958 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8958.html CVE-2014-8958 https://bugzilla.suse.com/906485 SUSE Bug 906485 https://bugzilla.suse.com/908363 SUSE Bug 908363 https://bugzilla.suse.com/908364 SUSE Bug 908364 Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. CVE-2014-8959 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8959.html CVE-2014-8959 https://bugzilla.suse.com/906486 SUSE Bug 906486 https://bugzilla.suse.com/908363 SUSE Bug 908363 https://bugzilla.suse.com/908364 SUSE Bug 908364 Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. CVE-2014-8960 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8960.html CVE-2014-8960 https://bugzilla.suse.com/906487 SUSE Bug 906487 https://bugzilla.suse.com/908363 SUSE Bug 908363 https://bugzilla.suse.com/908364 SUSE Bug 908364 Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. CVE-2014-8961 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8961.html CVE-2014-8961 https://bugzilla.suse.com/906488 SUSE Bug 906488 https://bugzilla.suse.com/908363 SUSE Bug 908363 https://bugzilla.suse.com/908364 SUSE Bug 908364 libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password. CVE-2014-9218 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9218.html CVE-2014-9218 https://bugzilla.suse.com/908363 SUSE Bug 908363 Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter. CVE-2014-9219 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9219.html CVE-2014-9219 https://bugzilla.suse.com/908364 SUSE Bug 908364 libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. CVE-2015-2206 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-2206.html CVE-2015-2206 https://bugzilla.suse.com/920773 SUSE Bug 920773 Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. CVE-2015-3902 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3902.html CVE-2015-3902 https://bugzilla.suse.com/930992 SUSE Bug 930992 libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. CVE-2015-3903 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3903.html CVE-2015-3903 https://bugzilla.suse.com/930993 SUSE Bug 930993 libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha. CVE-2015-6830 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-6830.html CVE-2015-6830 https://bugzilla.suse.com/945420 SUSE Bug 945420 The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter. CVE-2015-7873 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7873.html CVE-2015-7873 https://bugzilla.suse.com/951960 SUSE Bug 951960 libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. CVE-2015-8669 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8669.html CVE-2015-8669 https://bugzilla.suse.com/960282 SUSE Bug 960282 The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. CVE-2016-1927 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1927.html CVE-2016-1927 https://bugzilla.suse.com/964024 SUSE Bug 964024 phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. CVE-2016-2038 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2038.html CVE-2016-2038 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. CVE-2016-2039 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2039.html CVE-2016-2039 https://bugzilla.suse.com/964024 SUSE Bug 964024 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. CVE-2016-2040 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2040.html CVE-2016-2040 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. CVE-2016-2041 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2041.html CVE-2016-2041 https://bugzilla.suse.com/964024 SUSE Bug 964024 phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. CVE-2016-2042 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2042.html CVE-2016-2042 https://bugzilla.suse.com/964024 SUSE Bug 964024 Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. CVE-2016-2043 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2043.html CVE-2016-2043 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. CVE-2016-2044 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2044.html CVE-2016-2044 https://bugzilla.suse.com/964024 SUSE Bug 964024 Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response. CVE-2016-2045 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2045.html CVE-2016-2045 https://bugzilla.suse.com/964024 SUSE Bug 964024 Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. CVE-2016-2559 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2559.html CVE-2016-2559 https://bugzilla.suse.com/968940 SUSE Bug 968940 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. CVE-2016-2560 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2560.html CVE-2016-2560 https://bugzilla.suse.com/968938 SUSE Bug 968938 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. CVE-2016-2561 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2561.html CVE-2016-2561 https://bugzilla.suse.com/968941 SUSE Bug 968941 The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. CVE-2016-2562 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2562.html CVE-2016-2562 https://bugzilla.suse.com/968928 SUSE Bug 968928 phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. CVE-2016-5097 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5097.html CVE-2016-5097 https://bugzilla.suse.com/982126 SUSE Bug 982126 https://bugzilla.suse.com/982128 SUSE Bug 982128 Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. CVE-2016-5099 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5099.html CVE-2016-5099 https://bugzilla.suse.com/982126 SUSE Bug 982126 https://bugzilla.suse.com/982128 SUSE Bug 982128 setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. CVE-2016-5701 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5701.html CVE-2016-5701 https://bugzilla.suse.com/986154 SUSE Bug 986154 phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI. CVE-2016-5702 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5702.html CVE-2016-5702 https://bugzilla.suse.com/986154 SUSE Bug 986154 SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. CVE-2016-5703 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5703.html CVE-2016-5703 https://bugzilla.suse.com/986154 SUSE Bug 986154 Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment. CVE-2016-5704 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5704.html CVE-2016-5704 https://bugzilla.suse.com/986154 SUSE Bug 986154 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. CVE-2016-5705 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5705.html CVE-2016-5705 https://bugzilla.suse.com/986154 SUSE Bug 986154 js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. CVE-2016-5706 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5706.html CVE-2016-5706 https://bugzilla.suse.com/986154 SUSE Bug 986154 phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. CVE-2016-5730 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5730.html CVE-2016-5730 https://bugzilla.suse.com/986154 SUSE Bug 986154 Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. CVE-2016-5731 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5731.html CVE-2016-5731 https://bugzilla.suse.com/986154 SUSE Bug 986154 Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters. CVE-2016-5732 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5732.html CVE-2016-5732 https://bugzilla.suse.com/986154 SUSE Bug 986154 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. CVE-2016-5733 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5733.html CVE-2016-5733 https://bugzilla.suse.com/986154 SUSE Bug 986154 phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation. CVE-2016-5734 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5734.html CVE-2016-5734 https://bugzilla.suse.com/986154 SUSE Bug 986154 The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. CVE-2016-5739 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5739.html CVE-2016-5739 https://bugzilla.suse.com/986154 SUSE Bug 986154 An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6606 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6606.html CVE-2016-6606 https://bugzilla.suse.com/994313 SUSE Bug 994313 XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6607 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6607.html CVE-2016-6607 https://bugzilla.suse.com/994313 SUSE Bug 994313 XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. CVE-2016-6608 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6608.html CVE-2016-6608 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6609 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6609.html CVE-2016-6609 https://bugzilla.suse.com/994313 SUSE Bug 994313 A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6610 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6610.html CVE-2016-6610 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6611 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6611.html CVE-2016-6611 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6612 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6612.html CVE-2016-6612 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6613 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 2.1 AV:N/AC:H/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6613.html CVE-2016-6613 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6614 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6614.html CVE-2016-6614 https://bugzilla.suse.com/994313 SUSE Bug 994313 XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. CVE-2016-6615 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6615.html CVE-2016-6615 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. CVE-2016-6616 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6616.html CVE-2016-6616 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected. CVE-2016-6617 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6617.html CVE-2016-6617 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6618 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6618.html CVE-2016-6618 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6619 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6619.html CVE-2016-6619 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6620 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6620.html CVE-2016-6620 https://bugzilla.suse.com/994313 SUSE Bug 994313 The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. CVE-2016-6621 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6621.html CVE-2016-6621 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6622 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6622.html CVE-2016-6622 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service (DoS) attack on a server by passing large values to a loop. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6623 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6623.html CVE-2016-6623 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6624 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6624.html CVE-2016-6624 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6625 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6625.html CVE-2016-6625 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6626 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6626.html CVE-2016-6626 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6627 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6627.html CVE-2016-6627 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6628 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6628.html CVE-2016-6628 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin involving the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6629 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6629.html CVE-2016-6629 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6630 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6630.html CVE-2016-6630 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6631 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6631.html CVE-2016-6631 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6632 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6632.html CVE-2016-6632 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations that are running with the dbase extension. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. CVE-2016-6633 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6633.html CVE-2016-6633 https://bugzilla.suse.com/994313 SUSE Bug 994313 An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9847 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9847.html CVE-2016-9847 An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9848 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9848.html CVE-2016-9848 An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9849 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9849.html CVE-2016-9849 An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9850 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9850.html CVE-2016-9850 An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. CVE-2016-9851 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9851.html CVE-2016-9851 An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the curl wrapper issue. CVE-2016-9852 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9852.html CVE-2016-9852 An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the fopen wrapper issue. CVE-2016-9853 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9853.html CVE-2016-9853 An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the json_decode issue. CVE-2016-9854 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9854.html CVE-2016-9854 An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the PMA_shutdownDuringExport issue. CVE-2016-9855 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9855.html CVE-2016-9855 An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9856 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9856.html CVE-2016-9856 An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9857 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9857.html CVE-2016-9857 An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9858 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9858.html CVE-2016-9858 An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9859 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9859.html CVE-2016-9859 An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9860 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9860.html CVE-2016-9860 An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9861 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9861.html CVE-2016-9861 An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected. CVE-2016-9862 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9862.html CVE-2016-9862 An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected. CVE-2016-9863 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9863.html CVE-2016-9863 An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9864 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9864.html CVE-2016-9864 An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9865 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9865.html CVE-2016-9865 An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. CVE-2016-9866 openSUSE Tumbleweed:phpMyAdmin-4.6.5.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9866.html CVE-2016-9866