Security update for phpMyAdmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1556-1 Final 1 1 2016-06-11T16:20:43Z current 2016-06-11T16:20:43Z 2016-06-11T16:20:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for phpMyAdmin This phpMyAdmin update to version 4.4.15.6 fixes the following issues: Security issues fixed: - PMASA-2016-16 (CVE-2016-5099, CWE-661): Self XSS, see https://www.phpmyadmin.net/security/PMASA-2016-16/ - PMASA-2016-15 (CVE-2016-5098, CWE-661): File Traversal Protection Bypass on Error Reporting, see https://www.phpmyadmin.net/security/PMASA-2016-15/ - PMASA-2016-14 (CVE-2016-5097, CWE-661): Sensitive Data in URL GET Query Parameters, see https://www.phpmyadmin.net/security/PMASA-2016-14/ The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html E-Mail link for openSUSE-SU-2016:1556-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings phpMyAdmin-4.4.15.6-57.1 phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs. CVE-2016-5097 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html https://www.suse.com/security/cve/CVE-2016-5097.html CVE-2016-5097 https://bugzilla.suse.com/982126 SUSE Bug 982126 https://bugzilla.suse.com/982128 SUSE Bug 982128 Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error. CVE-2016-5098 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html https://www.suse.com/security/cve/CVE-2016-5098.html CVE-2016-5098 https://bugzilla.suse.com/982127 SUSE Bug 982127 https://bugzilla.suse.com/982128 SUSE Bug 982128 Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. CVE-2016-5099 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html https://www.suse.com/security/cve/CVE-2016-5099.html CVE-2016-5099 https://bugzilla.suse.com/982126 SUSE Bug 982126 https://bugzilla.suse.com/982128 SUSE Bug 982128