A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies. This was incompletely fixed in PMASA-2016-18.
Properly configured server which sets PHP_SELF is not affected by this.
All 4.6.x versions (prior to 4.6.6) are affected
Created phpMyAdmin tracking bugs for this issue:
Affects: fedora-all [bug 1416003]
Affects: epel-all [bug 1416004]
Created phpMyAdmin4 tracking bugs for this issue:
Affects: epel-5 [bug 1416005]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.