According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.15, 4.4.x prior to 4.4.15.5, or 4.5.x prior to 4.5.5.1. It is, therefore, affected by multiple vulnerabilities.

  - Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-     parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote     authenticated users to inject arbitrary web script or HTML via a crafted query. (CVE-2016-2559)

  - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before     4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a     crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to     file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to     libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to     libraries/controllers/TableSearchController.class.php in the zoom search page. (CVE-2016-2560)

  - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before     4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php     or (2) js/normalization.js in the database normalization page, (3)     templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos     parameter to db_central_columns.php in the central columns page. (CVE-2016-2561)

  - The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify     X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof     these servers and obtain sensitive information via a crafted certificate. (CVE-2016-2562)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

phpMyAdmin 4.0.x < 4.0.10.15 / 4.4.x < 4.4.15.5 / 4.5.x < 4.5.5.1 Multiple Vulnerabilities

medium Nessus Plugin ID 143489

Version 1.8