CVE-2016-5730

high-risk

Published 2016-07-03

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message.

Do I need to act?

1.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Phpmyadmin

Affected Vendors

Phpmyadmin Opensuse

References (20)

http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html

http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html

http://www.securityfocus.com/bid/91379

Patch https://github.com/phpmyadmin/phpmyadmin/commit/27664605b945b13e1d2b71adea822ace...

Patch https://github.com/phpmyadmin/phpmyadmin/commit/331c560fbfa0e7d2dce674b5e88e983c...

Patch https://github.com/phpmyadmin/phpmyadmin/commit/96e0aa35653ec0c66084a7e9343465e1...

Patch https://github.com/phpmyadmin/phpmyadmin/commit/b0180f18c828706af3a6800f0fb01a53...

Patch https://github.com/phpmyadmin/phpmyadmin/commit/cd229d718e8cb4bc8ba32446beaa82d2...

https://security.gentoo.org/glsa/201701-32

Patch https://www.phpmyadmin.net/security/PMASA-2016-23/