Main Vulnerability Database Vulnerabilities #VU33618

Deserialization of Untrusted Data in phpMyAdmin - CVE-2016-6620

Published: December 11, 2016 / Updated: August 4, 2020

Vulnerability identifier: #VU33618

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-6620

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: phpMyAdmin

Affected software:
phpMyAdmin

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

How to mitigate CVE-2016-6620

Install update from vendor's website.

Deserialization of Untrusted Data in phpMyAdmin - CVE-2016-6620

Detailed vulnerability description

How to mitigate CVE-2016-6620

Sources

Please verify you're human