|Related CVEs||CVE-2016-6606 CVE-2020-26934 CVE-2020-26935|
Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface.
Two issues were found affecting the way cookies are stored. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. A vulnerability was found where the same initialization vector is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same, but the attacker can not directly decode these values from the cookie as it is still hashed.
An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
For Debian 8 jessie, these problems have been fixed in version 4:4.2.12-2+deb8u10.
We recommend that you upgrade your phpmyadmin packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/