Executive Summary
Summary | |
---|---|
Title | phpmyadmin security update |
Informations | |||
---|---|---|---|
Name | DSA-3627 | First vendor Publication | 2016-07-24 |
Vendor | Debian | Last vendor Modification | 2016-07-24 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface. CVE-2016-1927 The suggestPassword function relied on a non-secure random number generator which makes it easier for remote attackers to guess generated passwords via a brute-force approach. CVE-2016-2039 CSRF token values were generated by a non-secure random number genrator, which allows remote attackers to bypass intended access restrictions by predicting a value. CVE-2016-2040 Multiple cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML. CVE-2016-2041 phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. CVE-2016-2560 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-2561 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5099 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5701 For installations running on plain HTTP, phpMyAdmin allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. CVE-2016-5705 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5706 phpMyAdmin allows remote attackers to cause a denial of service (resource consumption) via a large array in the scripts parameter. CVE-2016-5731 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML. CVE-2016-5733 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5739 A specially crafted Transformation could leak information which a remote attacker could use to perform cross site request forgeries. For the stable distribution (jessie), these problems have been fixed in version 4:4.2.12-2+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 4:4.6.3-1. We recommend that you upgrade your phpmyadmin packages. |
Original Source
Url : http://www.debian.org/security/2016/dsa-3627 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
14 % | CWE-254 | Security Features |
14 % | CWE-200 | Information Exposure |
7 % | CWE-399 | Resource Management Errors |
7 % | CWE-255 | Credentials Management |
7 % | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-04-25 | Name : The remote web server hosts a PHP application that is affected by multiple vu... File : phpmyadmin_4_6_3.nasl - Type : ACT_GATHER_INFO |
2017-04-25 | Name : The remote web server hosts a PHP application that is affected by multiple vu... File : phpmyadmin_4_4_15_7.nasl - Type : ACT_GATHER_INFO |
2017-04-25 | Name : The remote web server hosts a PHP application that is affected by multiple vu... File : phpmyadmin_4_0_10_16.nasl - Type : ACT_GATHER_INFO |
2017-01-12 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201701-32.nasl - Type : ACT_GATHER_INFO |
2016-07-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3627.nasl - Type : ACT_GATHER_INFO |
2016-07-18 | Name : The remote Debian host is missing a security update. File : debian_DLA-551.nasl - Type : ACT_GATHER_INFO |
2016-07-15 | Name : The remote Fedora host is missing a security update. File : fedora_2016-9df3915036.nasl - Type : ACT_GATHER_INFO |
2016-07-15 | Name : The remote Fedora host is missing a security update. File : fedora_2016-81c2dabf20.nasl - Type : ACT_GATHER_INFO |
2016-07-15 | Name : The remote Fedora host is missing a security update. File : fedora_2016-56ee5cb8b6.nasl - Type : ACT_GATHER_INFO |
2016-07-05 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_e7028e1d3f9b11e681f96805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
2016-06-29 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-806.nasl - Type : ACT_GATHER_INFO |
2016-06-29 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-804.nasl - Type : ACT_GATHER_INFO |
2016-06-14 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-712.nasl - Type : ACT_GATHER_INFO |
2016-06-01 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-655.nasl - Type : ACT_GATHER_INFO |
2016-05-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_00ec1be122bb11e69ead6805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
2016-05-19 | Name : The remote Debian host is missing a security update. File : debian_DLA-481.nasl - Type : ACT_GATHER_INFO |
2016-03-14 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2016-02ee5b4002.nasl - Type : ACT_GATHER_INFO |
2016-03-10 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2016-65da02b95c.nasl - Type : ACT_GATHER_INFO |
2016-03-07 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-305.nasl - Type : ACT_GATHER_INFO |
2016-03-07 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-304.nasl - Type : ACT_GATHER_INFO |
2016-03-04 | Name : The remote Fedora host is missing a security update. File : fedora_2016-e55278763e.nasl - Type : ACT_GATHER_INFO |
2016-03-04 | Name : The remote Fedora host is missing a security update. File : fedora_2016-e1fe01e96e.nasl - Type : ACT_GATHER_INFO |
2016-03-01 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f682a506df7c11e581e46805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
2016-02-26 | Name : The remote web server hosts a PHP application that is affected by multiple vu... File : phpmyadmin_pmasa_2016_5.nasl - Type : ACT_GATHER_INFO |
2016-02-09 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-168.nasl - Type : ACT_GATHER_INFO |
2016-02-08 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-151.nasl - Type : ACT_GATHER_INFO |
2016-02-01 | Name : The remote Debian host is missing a security update. File : debian_DLA-406.nasl - Type : ACT_GATHER_INFO |
2016-01-29 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_60ab0e93c60b11e5bf366805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
2016-01-29 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_71b24d99c60b11e5bf366805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
2016-01-29 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_6f0c2d1bc60b11e5bf366805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
2016-01-29 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_6cc06eecc60b11e5bf366805ca0b3d42.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-07-01 09:25:33 |
|
2016-08-03 00:25:45 |
|
2016-07-26 13:25:55 |
|
2016-07-24 21:25:06 |
|