製品・ソフトウェアに関する情報

JVN脆弱性詳細

phpMyAdmin におけるクロスサイトスクリプティングの脆弱性

Title	phpMyAdmin におけるクロスサイトスクリプティングの脆弱性
Summary	phpMyAdmin には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、以下を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) database normalization ページの normalization.php (2) database normalization ページの js/normalization.js (3) database structure ページの templates/database/structure/sortable_header.phtml (4) Central columns ページの db_central_columns.php の pos パラメータ
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 25, 2016, midnight
Registration Date	March 4, 2016, 12:19 p.m.
Last Update	March 4, 2016, 12:19 p.m.

CVSS2.0 : 注意
Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:P/A:N

Affected System

The phpMyAdmin Project

phpMyAdmin 4.4.15.5 未満の 4.4.x

phpMyAdmin 4.5.5.1 未満の 4.5.x

phpMyAdmin 4.4.15.5 未満の 4.4.x

phpMyAdmin 4.5.5.1 未満の 4.5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-2561	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2561
2	CVE-2016-2561	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2561
National Vulnerability Database (NVD)
3	CVE-2016-2561	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2561
4	CVE-2016-2561	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2561

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html
2	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Escape selectors	https://github.com/phpmyadmin/phpmyadmin/commit/37c34d089aa19f30d11203bb0c7f85b486424372
2	Escape selectors	https://github.com/phpmyadmin/phpmyadmin/commit/37c34d089aa19f30d11203bb0c7f85b486424372
3	Fix XSS in Central columns page	https://github.com/phpmyadmin/phpmyadmin/commit/cc55f44a4a90147a007dee1aefa1cb529e23798b
4	Fix XSS in Central columns page	https://github.com/phpmyadmin/phpmyadmin/commit/cc55f44a4a90147a007dee1aefa1cb529e23798b
5	Fix XSS in database structure page	https://github.com/phpmyadmin/phpmyadmin/commit/983faa94f161df3623ecd371d3696a1b3f91c15f
6	Fix XSS in database structure page	https://github.com/phpmyadmin/phpmyadmin/commit/983faa94f161df3623ecd371d3696a1b3f91c15f
7	Fix XSS in normalization	https://github.com/phpmyadmin/phpmyadmin/commit/746240bd13b62b5956fc34389cfbdc09e1e67775
8	Fix XSS in normalization	https://github.com/phpmyadmin/phpmyadmin/commit/746240bd13b62b5956fc34389cfbdc09e1e67775
9	Fix XSS in normalization.js (bcd4ce8)	https://github.com/phpmyadmin/phpmyadmin/commit/bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef
10	Fix XSS in normalization.js (bcd4ce8)	https://github.com/phpmyadmin/phpmyadmin/commit/bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef
11	Fix XSS in normalization.js (f33a42f)	https://github.com/phpmyadmin/phpmyadmin/commit/f33a42f1da9db943a67bda7d29f7dd91957a8e7e
12	Fix XSS in normalization.js (f33a42f)	https://github.com/phpmyadmin/phpmyadmin/commit/f33a42f1da9db943a67bda7d29f7dd91957a8e7e
SECURITY ANNOUNCEMENTS
13	PMASA-2016-12	https://www.phpmyadmin.net/security/PMASA-2016-12/
14	PMASA-2016-12	https://www.phpmyadmin.net/security/PMASA-2016-12/

Change Log

No	Changed Details	Date of change
0	[2016年03月04日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-2561

Summary	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.
Publication Date	March 1, 2016, 8:59 p.m.
Registration Date	Jan. 26, 2021, 2:09 p.m.
Last Update	Nov. 21, 2024, 11:48 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
5	http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
6	http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
7	http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
8	http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
9	http://www.debian.org/security/2016/dsa-3627
10	http://www.debian.org/security/2016/dsa-3627
11	https://github.com/phpmyadmin/phpmyadmin/commit/37c34d089aa19f30d11203bb0c7f85b486424372	Patch
12	https://github.com/phpmyadmin/phpmyadmin/commit/37c34d089aa19f30d11203bb0c7f85b486424372	Patch
13	https://github.com/phpmyadmin/phpmyadmin/commit/746240bd13b62b5956fc34389cfbdc09e1e67775	Patch
14	https://github.com/phpmyadmin/phpmyadmin/commit/746240bd13b62b5956fc34389cfbdc09e1e67775	Patch
15	https://github.com/phpmyadmin/phpmyadmin/commit/983faa94f161df3623ecd371d3696a1b3f91c15f	Patch
16	https://github.com/phpmyadmin/phpmyadmin/commit/983faa94f161df3623ecd371d3696a1b3f91c15f	Patch
17	https://github.com/phpmyadmin/phpmyadmin/commit/bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef	Patch
18	https://github.com/phpmyadmin/phpmyadmin/commit/bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef	Patch
19	https://github.com/phpmyadmin/phpmyadmin/commit/cc55f44a4a90147a007dee1aefa1cb529e23798b	Patch
20	https://github.com/phpmyadmin/phpmyadmin/commit/cc55f44a4a90147a007dee1aefa1cb529e23798b	Patch
21	https://github.com/phpmyadmin/phpmyadmin/commit/f33a42f1da9db943a67bda7d29f7dd91957a8e7e	Patch
22	https://github.com/phpmyadmin/phpmyadmin/commit/f33a42f1da9db943a67bda7d29f7dd91957a8e7e	Patch
23	https://www.phpmyadmin.net/security/PMASA-2016-12/	Patch Vendor Advisory
24	https://www.phpmyadmin.net/security/PMASA-2016-12/	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*