CVE-2016-9864

high-risk
Published 2016-12-11

An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Do I need to act?

-
0.44% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / HIGH complexity

Affected Products (20)

Affected Vendors

Phpmyadmin

References (8)

http://www.securityfocus.com/bid/94533
https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html
https://security.gentoo.org/glsa/201701-32
Patch https://www.phpmyadmin.net/security/PMASA-2016-69
http://www.securityfocus.com/bid/94533
https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html
https://security.gentoo.org/glsa/201701-32
Patch https://www.phpmyadmin.net/security/PMASA-2016-69
51
/ 100
high-risk
Severity 22/34 · High
Exploitability 2/34 · Minimal
Exposure 27/34 · High