CVE-2016-5701 : setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 all

setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.

Published 2016-07-03 01:59:11

Updated 2018-10-30 16:27:36

Source MITRE

View at NVD, CVE.org

Threat overview for CVE-2016-5701

Top countries where our scanners detected CVE-2016-5701

Top open port discovered on systems with this issue 21

IPs affected by CVE-2016-5701 1

Find out if you^* are affected by CVE-2016-5701!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-5701

Probability of exploitation activity in the next 30 days: 0.34%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-5701

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2016-5701

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-5701

http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html

openSUSE-SU-2016:1699-1: moderate: Security update for phpMyAdmin

CVEs referencing this url
https://security.gentoo.org/glsa/201701-32

phpMyAdmin: Multiple vulnerabilities (GLSA 201701-32) — Gentoo security

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html

openSUSE-SU-2016:1700-1: moderate: phpMyAdmin

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3627

Debian -- Security Information -- DSA-3627-1 phpmyadmin

CVEs referencing this url
https://github.com/phpmyadmin/phpmyadmin/commit/1dca386505f396f0c2035112a403cc80768a141f

Use javascript for redirection to https · phpmyadmin/phpmyadmin@1dca386 · GitHub
Patch
http://www.securityfocus.com/bid/91383

phpMyAdmin CVE-2016-5701 Remote Code Injection Vulnerability
https://www.phpmyadmin.net/security/PMASA-2016-17/

phpMyAdmin - Security - PMASA-2016-17
Patch;Vendor Advisory

Products affected by CVE-2016-5701