CVE-2016-9866: CSRF
First published: Sun Dec 11 2016(Updated: )
An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmyadmin/phpmyadmin | >=4.0.0<4.0.10.18 | 4.0.10.18 |
| composer/phpmyadmin/phpmyadmin | >=4.4.0<4.4.15.9 | 4.4.15.9 |
| composer/phpmyadmin/phpmyadmin | >=4.6.0<4.6.5 | 4.6.5 |
| PhpMyAdmin | =4.6.0 | |
| PhpMyAdmin | =4.6.1 | |
| PhpMyAdmin | =4.6.2 | |
| PhpMyAdmin | =4.6.3 | |
| PhpMyAdmin | =4.6.4 | |
| PhpMyAdmin | =4.4.0 | |
| PhpMyAdmin | =4.4.1 | |
| PhpMyAdmin | =4.4.1.1 | |
| PhpMyAdmin | =4.4.2 | |
| PhpMyAdmin | =4.4.3 | |
| PhpMyAdmin | =4.4.4 | |
| PhpMyAdmin | =4.4.5 | |
| PhpMyAdmin | =4.4.6 | |
| PhpMyAdmin | =4.4.6.1 | |
| PhpMyAdmin | =4.4.7 | |
| PhpMyAdmin | =4.4.8 | |
| PhpMyAdmin | =4.4.9 | |
| PhpMyAdmin | =4.4.10 | |
| PhpMyAdmin | =4.4.11 | |
| PhpMyAdmin | =4.4.12 | |
| PhpMyAdmin | =4.4.13 | |
| PhpMyAdmin | =4.4.13.1 | |
| PhpMyAdmin | =4.4.14 | |
| PhpMyAdmin | =4.4.14.1 | |
| PhpMyAdmin | =4.4.15 | |
| PhpMyAdmin | =4.4.15.1 | |
| PhpMyAdmin | =4.4.15.2 | |
| PhpMyAdmin | =4.4.15.3 | |
| PhpMyAdmin | =4.4.15.4 | |
| PhpMyAdmin | =4.4.15.5 | |
| PhpMyAdmin | =4.4.15.6 | |
| PhpMyAdmin | =4.4.15.7 | |
| PhpMyAdmin | =4.4.15.8 | |
| PhpMyAdmin | =4.0.0 | |
| PhpMyAdmin | =4.0.1 | |
| PhpMyAdmin | =4.0.2 | |
| PhpMyAdmin | =4.0.3 | |
| PhpMyAdmin | =4.0.4 | |
| PhpMyAdmin | =4.0.4.1 | |
| PhpMyAdmin | =4.0.4.2 | |
| PhpMyAdmin | =4.0.5 | |
| PhpMyAdmin | =4.0.6 | |
| PhpMyAdmin | =4.0.7 | |
| PhpMyAdmin | =4.0.8 | |
| PhpMyAdmin | =4.0.9 | |
| PhpMyAdmin | =4.0.10 | |
| PhpMyAdmin | =4.0.10.1 | |
| PhpMyAdmin | =4.0.10.2 | |
| PhpMyAdmin | =4.0.10.3 | |
| PhpMyAdmin | =4.0.10.4 | |
| PhpMyAdmin | =4.0.10.5 | |
| PhpMyAdmin | =4.0.10.6 | |
| PhpMyAdmin | =4.0.10.7 | |
| PhpMyAdmin | =4.0.10.8 | |
| PhpMyAdmin | =4.0.10.9 | |
| PhpMyAdmin | =4.0.10.10 | |
| PhpMyAdmin | =4.0.10.11 | |
| PhpMyAdmin | =4.0.10.12 | |
| PhpMyAdmin | =4.0.10.13 | |
| PhpMyAdmin | =4.0.10.14 | |
| PhpMyAdmin | =4.0.10.15 | |
| PhpMyAdmin | =4.0.10.16 | |
| PhpMyAdmin | =4.0.10.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/94536
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-71
- https://nvd.nist.gov/vuln/detail/CVE-2016-9866
- https://web.archive.org/web/20210123194736/http://www.securityfocus.com/bid/94536
- https://github.com/advisories/GHSA-jvxx-8xxf-5495 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-9866?
CVE-2016-9866 is known to have a medium severity rating due to the potential for Cross-Site Request Forgery (CSRF) exploitation.
How do I fix CVE-2016-9866?
To fix CVE-2016-9866, you should upgrade phpMyAdmin to version 4.6.5, 4.4.15.9, or newer to patch the vulnerability.
What is the impact of CVE-2016-9866?
The impact of CVE-2016-9866 allows an attacker to perform unauthorized actions on behalf of users, exploiting the CSRF vulnerability.
Which versions of phpMyAdmin are affected by CVE-2016-9866?
CVE-2016-9866 affects phpMyAdmin versions prior to 4.6.5, 4.4.15.9, and all versions of 4.0.x.
Is there a workaround for CVE-2016-9866?
There are no official workarounds for CVE-2016-9866; upgrading to the latest versions is the recommended action.
- collector/github-advisory-latest
- alias/GHSA-jvxx-8xxf-5495
- alias/CVE-2016-9866
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/phpmyadmin
- canonical/phpmyadmin
- version/phpmyadmin/4.6.0
- version/phpmyadmin/4.6.1
- version/phpmyadmin/4.6.2
- version/phpmyadmin/4.6.3
- version/phpmyadmin/4.6.4
- version/phpmyadmin/4.4.0
- version/phpmyadmin/4.4.1
- version/phpmyadmin/4.4.1.1
- version/phpmyadmin/4.4.2
- version/phpmyadmin/4.4.3
- version/phpmyadmin/4.4.4
- version/phpmyadmin/4.4.5
- version/phpmyadmin/4.4.6
- version/phpmyadmin/4.4.6.1
- version/phpmyadmin/4.4.7
- version/phpmyadmin/4.4.8
- version/phpmyadmin/4.4.9
- version/phpmyadmin/4.4.10
- version/phpmyadmin/4.4.11
- version/phpmyadmin/4.4.12
- version/phpmyadmin/4.4.13
- version/phpmyadmin/4.4.13.1
- version/phpmyadmin/4.4.14
- version/phpmyadmin/4.4.14.1
- version/phpmyadmin/4.4.15
- version/phpmyadmin/4.4.15.1
- version/phpmyadmin/4.4.15.2
- version/phpmyadmin/4.4.15.3
- version/phpmyadmin/4.4.15.4
- version/phpmyadmin/4.4.15.5
- version/phpmyadmin/4.4.15.6
- version/phpmyadmin/4.4.15.7
- version/phpmyadmin/4.4.15.8
- version/phpmyadmin/4.0.0
- version/phpmyadmin/4.0.1
- version/phpmyadmin/4.0.2
- version/phpmyadmin/4.0.3
- version/phpmyadmin/4.0.4
- version/phpmyadmin/4.0.4.1
- version/phpmyadmin/4.0.4.2
- version/phpmyadmin/4.0.5
- version/phpmyadmin/4.0.6
- version/phpmyadmin/4.0.7
- version/phpmyadmin/4.0.8
- version/phpmyadmin/4.0.9
- version/phpmyadmin/4.0.10
- version/phpmyadmin/4.0.10.1
- version/phpmyadmin/4.0.10.2
- version/phpmyadmin/4.0.10.3
- version/phpmyadmin/4.0.10.4
- version/phpmyadmin/4.0.10.5
- version/phpmyadmin/4.0.10.6
- version/phpmyadmin/4.0.10.7
- version/phpmyadmin/4.0.10.8
- version/phpmyadmin/4.0.10.9
- version/phpmyadmin/4.0.10.10
- version/phpmyadmin/4.0.10.11
- version/phpmyadmin/4.0.10.12
- version/phpmyadmin/4.0.10.13
- version/phpmyadmin/4.0.10.14
- version/phpmyadmin/4.0.10.15
- version/phpmyadmin/4.0.10.16
- version/phpmyadmin/4.0.10.17