Vulnerability Name:

CVE-2016-5733 (CCN-114740)

Assigned:2016-06-23
Published:2016-06-23
Updated:2018-10-30
Summary:Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2016-5733

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:1699

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:1700

Source: DEBIAN
Type: UNKNOWN
DSA-3627

Source: BID
Type: UNKNOWN
91390

Source: XF
Type: UNKNOWN
phpmyadmin-cve20165733-xss(114740)

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/4d21b5c077db50c2a54b7f569d20f463cc2651f5

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/615212a14d7d87712202f37354acf8581987fc5a

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/79661610f6f65443e0ec1e382a7240437f28436c

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/8716855b309dbe65d7b9a5d681b80579b225b322

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/895a131d2eb7e447757a35d5731c7d647823ea8b

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/960fd1fd52023047a23d069178bfff7463c2cefc

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/be3ecbb4cca3fbe20e3b3aa4e049902d18b60865

Source: CONFIRM
Type: Patch
https://github.com/phpmyadmin/phpmyadmin/commit/d648ade18d6cbb796a93261491c121f078df2d88

Source: GENTOO
Type: UNKNOWN
GLSA-201701-32

Source: CCN
Type: phpMyAdmin Security Advisory PMASA-2016-26
Multiple XSS vulnerabilities

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.phpmyadmin.net/security/PMASA-2016-26/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:opensuse:leap:42.1:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20165733
    V
    		CVE-2016-5733
    2022-06-30
    oval:org.opensuse.security:def:113141
    P
    		phpMyAdmin-4.6.5.2-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106569
    P
    		phpMyAdmin-4.6.5.2-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.cisecurity:def:1017
    P
    		DSA-3627-1 -- phpmyadmin -- security update
    2016-09-16
    oval:com.ubuntu.disco:def:201657330000000
    V
    		CVE-2016-5733 on Ubuntu 19.04 (disco) - medium.
    2016-07-03
    oval:com.ubuntu.bionic:def:201657330000000
    V
    		CVE-2016-5733 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-07-03
    oval:com.ubuntu.xenial:def:201657330000000
    V
    		CVE-2016-5733 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-07-03
    oval:com.ubuntu.artful:def:20165733000
    V
    		CVE-2016-5733 on Ubuntu 17.10 (artful) - medium.
    2016-07-02
    oval:com.ubuntu.trusty:def:20165733000
    V
    		CVE-2016-5733 on Ubuntu 14.04 LTS (trusty) - medium.
    2016-07-02
    oval:com.ubuntu.cosmic:def:201657330000000
    V
    		CVE-2016-5733 on Ubuntu 18.10 (cosmic) - medium.
    2016-07-02
    oval:com.ubuntu.bionic:def:20165733000
    V
    		CVE-2016-5733 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-07-02
    oval:com.ubuntu.xenial:def:20165733000
    V
    		CVE-2016-5733 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-07-02
    oval:com.ubuntu.cosmic:def:20165733000
    V
    		CVE-2016-5733 on Ubuntu 18.10 (cosmic) - medium.
    2016-07-02
    oval:com.ubuntu.precise:def:20165733000
    V
    		CVE-2016-5733 on Ubuntu 12.04 LTS (precise) - medium.
    2016-07-02
    BACK
    phpmyadmin phpmyadmin 4.0.0
    phpmyadmin phpmyadmin 4.0.1
    phpmyadmin phpmyadmin 4.0.2
    phpmyadmin phpmyadmin 4.0.3
    phpmyadmin phpmyadmin 4.0.4
    phpmyadmin phpmyadmin 4.0.4.1
    phpmyadmin phpmyadmin 4.0.4.2
    phpmyadmin phpmyadmin 4.0.5
    phpmyadmin phpmyadmin 4.0.6
    phpmyadmin phpmyadmin 4.0.7
    phpmyadmin phpmyadmin 4.0.8
    phpmyadmin phpmyadmin 4.0.9
    phpmyadmin phpmyadmin 4.0.10
    phpmyadmin phpmyadmin 4.0.10.1
    phpmyadmin phpmyadmin 4.0.10.2
    phpmyadmin phpmyadmin 4.0.10.3
    phpmyadmin phpmyadmin 4.0.10.4
    phpmyadmin phpmyadmin 4.0.10.5
    phpmyadmin phpmyadmin 4.0.10.6
    phpmyadmin phpmyadmin 4.0.10.7
    phpmyadmin phpmyadmin 4.0.10.8
    phpmyadmin phpmyadmin 4.0.10.9
    phpmyadmin phpmyadmin 4.0.10.10
    phpmyadmin phpmyadmin 4.0.10.11
    phpmyadmin phpmyadmin 4.0.10.12
    phpmyadmin phpmyadmin 4.0.10.13
    phpmyadmin phpmyadmin 4.0.10.14
    phpmyadmin phpmyadmin 4.0.10.15
    phpmyadmin phpmyadmin 4.4.0
    phpmyadmin phpmyadmin 4.4.1
    phpmyadmin phpmyadmin 4.4.1.1
    phpmyadmin phpmyadmin 4.4.2
    phpmyadmin phpmyadmin 4.4.3
    phpmyadmin phpmyadmin 4.4.4
    phpmyadmin phpmyadmin 4.4.5
    phpmyadmin phpmyadmin 4.4.6
    phpmyadmin phpmyadmin 4.4.6.1
    phpmyadmin phpmyadmin 4.4.7
    phpmyadmin phpmyadmin 4.4.8
    phpmyadmin phpmyadmin 4.4.9
    phpmyadmin phpmyadmin 4.4.10
    phpmyadmin phpmyadmin 4.4.11
    phpmyadmin phpmyadmin 4.4.12
    phpmyadmin phpmyadmin 4.4.13
    phpmyadmin phpmyadmin 4.4.13.1
    phpmyadmin phpmyadmin 4.4.14.1
    phpmyadmin phpmyadmin 4.4.15
    phpmyadmin phpmyadmin 4.4.15.1
    phpmyadmin phpmyadmin 4.4.15.2
    phpmyadmin phpmyadmin 4.4.15.3
    phpmyadmin phpmyadmin 4.4.15.4
    phpmyadmin phpmyadmin 4.4.15.5
    phpmyadmin phpmyadmin 4.4.15.6
    opensuse leap 42.1
    opensuse opensuse 13.1
    opensuse opensuse 13.2
    phpmyadmin phpmyadmin 4.6.0
    phpmyadmin phpmyadmin 4.6.0 alpha1
    phpmyadmin phpmyadmin 4.6.0 rc1
    phpmyadmin phpmyadmin 4.6.0 rc2
    phpmyadmin phpmyadmin 4.6.1
    phpmyadmin phpmyadmin 4.6.2
    phpmyadmin phpmyadmin 4.0.10.15
    phpmyadmin phpmyadmin 4.4.15.6
    phpmyadmin phpmyadmin 4.6.2