CVE-2016-5731 — phpmyadmin - security update

Description

Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.

How to fix CVE-2016-5731

To remediate CVE-2016-5731, upgrade the affected package to a fixed version below.

—upgrade to 4:4.6.3-1 or later
—upgrade to 4:3.4.11.1-2+deb7u5 or later
—upgrade to 4.0.10.16 or later

Is CVE-2016-5731 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 4:4.6.3-1
from 0, < 4:3.4.11.1-2+deb7u5
>= 4.0, < 4.0.10.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-5731
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-5731
PATCHgithub.com/phpmyadmin/composer
WEBlists.opensuse.org/opensuse-updates/2016-06/msg00113.html
WEB