A vulnerability allowing to complete reCaptcha test and subsequently perform a brute force attack to guess user credentials without having to complete further reCaptcha tests was found. This vulnerability only affects installations with reCaptcha test enabled. Affected versions are 4.3.x (prior to 4.3.13.2) and 4.4.x (prior to 4.4.14.1) Upstream patches: Fix for 4.3: https://github.com/phpmyadmin/phpmyadmin/commit/0314e67900f01410bc8c81c58a40dc0515e3c91d Fix for 4.4: https://github.com/phpmyadmin/phpmyadmin/commit/785f4e2711848eb8945894199d5870253a88584e
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 1261815] Affects: epel-all [bug 1261816]
Created phpMyAdmin4 tracking bugs for this issue: Affects: epel-7 [bug 1261817]
phpMyAdmin-4.4.14.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.4.14.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.4.14.1-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.4.14.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.