Information disclosure in Opensuse - CVE-2016-5097
Published: July 5, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40213
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-5097
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SUSE
Affected software:
Opensuse
Opensuse
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
How to mitigate CVE-2016-5097
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00043.html
- http://www.securitytracker.com/id/1035978
- https://github.com/phpmyadmin/phpmyadmin/commit/11eb574242d2526107366d367ab5585fbe29578f
- https://github.com/phpmyadmin/phpmyadmin/commit/59e56bd63a5e023b797d82eb272cd074e3b4bfd1
- https://github.com/phpmyadmin/phpmyadmin/commit/5fc8020c5ba9cd2e38beb5dfe013faf2103cdf0f
- https://github.com/phpmyadmin/phpmyadmin/commit/8326aaebe54083d9726e153abdd303a141fe5ad3
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-14