| Name | CVE-2016-2560 |
| Description | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-481-1, DSA-3627-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| phpmyadmin (PTS) | jessie, jessie (lts) | 4:4.2.12-2+deb8u12 | fixed |
| stretch (security) | 4:4.6.6-4+deb9u2 | fixed |
| stretch (lts), stretch | 4:4.6.6-4+deb9u3 | fixed |
| bullseye | 4:5.0.4+dfsg2-2+deb11u1 | fixed |
| bookworm | 4:5.2.1+dfsg-1 | fixed |
| sid, trixie | 4:5.2.1+dfsg-4 | fixed |
The information below is based on the following data on fixed versions.
Notes
7ddce5e39a4e12cd351732955394bc7055c280eb: file not present, vulnerability not found in wheezy
0667ea8ac7519d7e642eade2686dc393d5faeae3: vulnerability present in 3.4.3.1, but code mysteriously not found in wheezy
fe3be9f4b9edd54dc39919e7dfeaaf4a67c1cf83: vulnerability introduced in 052fd61f (3.5.1)
b8f1e0f325f8f32bd82af64111d8c2e9055a363c and 73c8245a3d1893a710447957e28dcfb18d9b47ad present in wheezy and later, patch in lists.debian.org/87lh4fpyap.fsf@angela.anarcat.ath.cx