CVE-2016-9866: Cross-Site Request Forgery (CSRF)

May 17, 2022 (updated July 31, 2023)

An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

References

github.com/advisories/GHSA-jvxx-8xxf-5495
nvd.nist.gov/vuln/detail/CVE-2016-9866
security.gentoo.org/glsa/201701-32
web.archive.org/web/20210123194736/http://www.securityfocus.com/bid/94536
www.phpmyadmin.net/security/PMASA-2016-71

Code Behaviors & Features

Detect and mitigate CVE-2016-9866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →