Debian: DSA-3627-1 Critical: phpMyAdmin XSS Issues Resolved
debian
July 24, 2016
Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface
Topics Covered
Summary
CVE-2016-1927
The suggestPassword function relied on a non-secure random number
generator which makes it easier for remote attackers to guess
generated passwords via a brute-force approach.
CVE-2016-2039
CSRF token values were generated by a non-secure random number
genrator, which allows remote attackers to bypass intended access
restrictions by predicting a value.
CVE-2016-2040
Multiple cross-site scripting (XSS) vulnerabilities allow remote
authenticated users to inject arbitrary web script or HTML.
CVE-2016-2041
phpMyAdmin does not use a constant-time algorithm for comparing
CSRF tokens, which makes it easier for remote attackers to bypass
intended access restrictions by measuring time differences.
CVE-2016-2560
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2016-2561
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web scr...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: phpmyadmin
CVE ID: CVE-2016-1927 CVE-2016-2039 CVE-2016-2040 CVE-2016-2041
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!