According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.15, 4.4.x prior to 4.4.15.5, or 4.5.x prior to 4.5.5.1. It is, therefore, affected by multiple vulnerabilities.

  - Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-     parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote     authenticated users to inject arbitrary web script or HTML via a crafted query. (CVE-2016-2559)

  - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before     4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a     crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to     file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to     libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to     libraries/controllers/TableSearchController.class.php in the zoom search page. (CVE-2016-2560)

  - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before     4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php     or (2) js/normalization.js in the database normalization page, (3)     templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos     parameter to db_central_columns.php in the central columns page. (CVE-2016-2561)

  - The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify     X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof     these servers and obtain sensitive information via a crafted certificate. (CVE-2016-2562)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

phpMyAdmin 4.0.x < 4.0.10.15 / 4.4.x < 4.4.15.5 / 4.5.x < 4.5.5.1 Multiple Vulnerabilities

medium Nessus Plugin ID 143489

Version 1.8

Version 1.7

Version 1.6

Version 1.5

Version 1.8 Feb 20, 2025, 9:15 AM CVSS metrics ("CVSSv3 score" set to 6.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N") CVSSv3 score source (changed from "manual" to none) CVSSv3 severity (based on None, severity decreased from "High" to "Medium") Exploit attributes ("Exploit available" set to "False") Plugin Feed: 202502200915
Version 1.7 Feb 18, 2025, 11:54 PM Plugin metadata (CVSS 3 Change AC:H --> AC:L where needed) Plugin Feed: 202502182354
Version 1.6 Nov 22, 2024, 4:32 PM Plugin metadata (remove script_exclude_keys for CGI scanning) Plugin Feed: 202411221632
Version 1.5 Jun 4, 2024, 7:00 PM Required Scan configuration ("Enable cgi scanning" set to "True") Plugin Feed: 202406041900