A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies. This was incompletely fixed in PMASA-2016-18. Mitigation: Properly configured server which sets PHP_SELF is not affected by this. Affected versions: All 4.6.x versions (prior to 4.6.6) are affected Upstream patches: https://github.com/phpmyadmin/phpmyadmin https://github.com/phpmyadmin/phpmyadmin/commit/3b6ed1f External References: https://www.phpmyadmin.net/security/PMASA-2017-5/
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 1416003] Affects: epel-all [bug 1416004]
Created phpMyAdmin4 tracking bugs for this issue: Affects: epel-5 [bug 1416005]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.