SynopsisThe remote web server contains a PHP application that is affected by multiple vulnerabilities.
DescriptionVersions of phpMyAdmin 4.4.x prior to 184.108.40.206, or 4.5.x prior to 4.5.4 are unpatched for the following vulnerabilities :
- An information disclosure vulnerability exists in the 'AES.php' and 'Rijndael.php' scripts that allows a remote attacker, via a specially crafted request, to disclose the software's installation path. (CVE-2016-2042)
- A cross-site scripting vulnerability exists due to improper validation of user-supplied input to the normalization script when handling a crafted table name before returning it to users. An authenticated, remote attacker can exploit this, via specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-2043)
SolutionUpgrade to phpMyAdmin 220.127.116.11 / 4.5.4 or later. Alternatively, apply the patch referenced in the vendor advisory.