製品・ソフトウェアに関する情報

JVN脆弱性詳細

phpMyAdmin におけるクロスサイトスクリプティングの脆弱性

Title	phpMyAdmin におけるクロスサイトスクリプティングの脆弱性
Summary	phpMyAdmin には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、以下を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) libraries/Config.class.php に関連する巧妙に細工された Host HTTP ヘッダ (2) file_echo.php に関連する巧妙に細工された JSON データ (3) js/functions.js に関連する巧妙に細工された SQL クエリ (4) ユーザアカウントページの libraries/server_privileges.lib.php の initial パラメータ (5) zoom search ページの libraries/controllers/TableSearchController.class.php の it パラメータ
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 25, 2016, midnight
Registration Date	March 4, 2016, 12:19 p.m.
Last Update	March 4, 2016, 12:19 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

The phpMyAdmin Project

phpMyAdmin 4.0.10.15 未満の 4.0.x

phpMyAdmin 4.4.15.5 未満の 4.4.x

phpMyAdmin 4.5.5.1 未満の 4.5.x

phpMyAdmin 4.0.10.15 未満の 4.0.x

phpMyAdmin 4.4.15.5 未満の 4.4.x

phpMyAdmin 4.5.5.1 未満の 4.5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-2560	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
2	CVE-2016-2560	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
National Vulnerability Database (NVD)
3	CVE-2016-2560	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2560
4	CVE-2016-2560	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2560

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html
2	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Escape SQL query for inline editing	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc
2	Escape SQL query for inline editing	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc
3	Fix XSS in User accounts page	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32
4	Fix XSS in User accounts page	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32
5	Fix XSS in zoom search	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4
6	Fix XSS in zoom search	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4
7	Urlencode hostname	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078
8	Urlencode hostname	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078
9	Use correct headers for json data	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f
10	Use correct headers for json data	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f
SECURITY ANNOUNCEMENTS
11	PMASA-2016-11	https://www.phpmyadmin.net/security/PMASA-2016-11/
12	PMASA-2016-11	https://www.phpmyadmin.net/security/PMASA-2016-11/

Change Log

No	Changed Details	Date of change
0	[2016年03月04日] 掲載	Feb. 17, 2018, 10:37 a.m.
0	[2016年03月04日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-2560

Summary	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.
Publication Date	March 1, 2016, 8:59 p.m.
Registration Date	Jan. 26, 2021, 2:09 p.m.
Last Update	Nov. 21, 2024, 11:48 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
5	http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
6	http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
7	http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
8	http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
9	http://www.debian.org/security/2016/dsa-3627
10	http://www.debian.org/security/2016/dsa-3627
11	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078	Patch
12	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078	Patch
13	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4	Patch
14	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4	Patch
15	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc	Patch
16	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc	Patch
17	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32	Patch
18	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32	Patch
19	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f	Patch
20	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f	Patch
21	https://www.phpmyadmin.net/security/PMASA-2016-11/	Patch Vendor Advisory
22	https://www.phpmyadmin.net/security/PMASA-2016-11/	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*