Cookie attribute injection attack
A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies. This was incompletely fixed in PMASA-2016-18.
We consider this to be non-critical.
Properly configured server which sets PHP_SELF is not affected by this.
All 4.6.x versions (prior to 4.6.6) are affected
Upgrade to phpMyAdmin 4.6.6 or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.
Assigned CVE ids: CVE-2017-1000016
CWE ids: CWE-661
The following commits have been made on the 4.6 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.