製品・ソフトウェアに関する情報

JVN脆弱性詳細

phpMyAdmin におけるクロスサイトスクリプティングの脆弱性

タイトル	phpMyAdmin におけるクロスサイトスクリプティングの脆弱性
概要	phpMyAdmin には、クロスサイトスクリプティングの脆弱性が存在します。
想定される影響	第三者により、以下を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) libraries/Config.class.php に関連する巧妙に細工された Host HTTP ヘッダ (2) file_echo.php に関連する巧妙に細工された JSON データ (3) js/functions.js に関連する巧妙に細工された SQL クエリ (4) ユーザアカウントページの libraries/server_privileges.lib.php の initial パラメータ (5) zoom search ページの libraries/controllers/TableSearchController.class.php の it パラメータ
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2016年2月25日0:00
登録日	2016年3月4日12:19
最終更新日	2016年3月4日12:19

CVSS2.0 : 警告
スコア	4.3
ベクター	AV:N/AC:M/Au:N/C:N/I:P/A:N

影響を受けるシステム

The phpMyAdmin Project

phpMyAdmin 4.0.10.15 未満の 4.0.x

phpMyAdmin 4.4.15.5 未満の 4.4.x

phpMyAdmin 4.5.5.1 未満の 4.5.x

phpMyAdmin 4.0.10.15 未満の 4.0.x

phpMyAdmin 4.4.15.5 未満の 4.4.x

phpMyAdmin 4.5.5.1 未満の 4.5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-2560	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
2	CVE-2016-2560	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
National Vulnerability Database (NVD)
3	CVE-2016-2560	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2560
4	CVE-2016-2560	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2560

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html
2	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	名前	URL
GitHub
1	Escape SQL query for inline editing	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc
2	Escape SQL query for inline editing	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc
3	Fix XSS in User accounts page	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32
4	Fix XSS in User accounts page	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32
5	Fix XSS in zoom search	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4
6	Fix XSS in zoom search	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4
7	Urlencode hostname	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078
8	Urlencode hostname	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078
9	Use correct headers for json data	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f
10	Use correct headers for json data	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f
SECURITY ANNOUNCEMENTS
11	PMASA-2016-11	https://www.phpmyadmin.net/security/PMASA-2016-11/
12	PMASA-2016-11	https://www.phpmyadmin.net/security/PMASA-2016-11/

変更履歴

No	変更内容	変更日
0	[2016年03月04日] 掲載	2018年2月17日10:37
0	[2016年03月04日] 掲載	2018年2月17日10:37

NVD脆弱性情報

CVE-2016-2560

概要	Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page.
公表日	2016年3月1日20:59
登録日	2021年1月26日14:09
最終更新日	2024年11月21日11:48

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*

構成1	以上	以下	より上	未満
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.html
5	http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
6	http://lists.opensuse.org/opensuse-updates/2016-03/msg00018.html
7	http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
8	http://lists.opensuse.org/opensuse-updates/2016-03/msg00020.html
9	http://www.debian.org/security/2016/dsa-3627
10	http://www.debian.org/security/2016/dsa-3627
11	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078	Patch
12	https://github.com/phpmyadmin/phpmyadmin/commit/38fa1191049ac0c626a6684eea52068dfbbb5078	Patch
13	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4	Patch
14	https://github.com/phpmyadmin/phpmyadmin/commit/41c4e0214c286f28830cca54423b5db57e7c0ce4	Patch
15	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc	Patch
16	https://github.com/phpmyadmin/phpmyadmin/commit/7877a9c0084bf8ae15cbd8d2729b126271f682cc	Patch
17	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32	Patch
18	https://github.com/phpmyadmin/phpmyadmin/commit/ab1283e8366c97a155d4e9ae58628a248458ea32	Patch
19	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f	Patch
20	https://github.com/phpmyadmin/phpmyadmin/commit/c842a0de9288033d25404d1d6eb22dd83033675f	Patch
21	https://www.phpmyadmin.net/security/PMASA-2016-11/	Patch Vendor Advisory
22	https://www.phpmyadmin.net/security/PMASA-2016-11/	Patch Vendor Advisory