Candidate: CVE-2016-9864
PublicDate: 2016-12-11 03:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9864
 https://www.phpmyadmin.net/security/PMASA-2016-69/
Description:
 An issue was discovered in phpMyAdmin. With a crafted username or a table
 name, it was possible to inject SQL statements in the tracking
 functionality that would run with the privileges of the control user. This
 gives read and write access to the tables of the configuration storage
 database, and if the control user has the necessary privileges, read access
 to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5),
 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18)
 are affected.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Emanuel Bronshtein
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5 HIGH]

Patches_phpmyadmin:
upstream_phpmyadmin: released (4:4.6.5.1-1)
precise_phpmyadmin: ignored (reached end-of-life)
precise/esm_phpmyadmin: DNE (precise was needs-triage)
trusty_phpmyadmin: ignored (out of standard support)
trusty/esm_phpmyadmin: needed
vivid/stable-phone-overlay_phpmyadmin: DNE
vivid/ubuntu-core_phpmyadmin: DNE
xenial_phpmyadmin: ignored (end of standard support, was needed)
yakkety_phpmyadmin: ignored (reached end-of-life)
zesty_phpmyadmin: not-affected (4:4.6.5.1-1)
artful_phpmyadmin: not-affected (4:4.6.5.1-1)
bionic_phpmyadmin: not-affected (4:4.6.5.1-1)
cosmic_phpmyadmin: not-affected (4:4.6.5.1-1)
disco_phpmyadmin: not-affected (4:4.6.5.1-1)
eoan_phpmyadmin: DNE
focal_phpmyadmin: not-affected (4:4.6.5.1-1)
groovy_phpmyadmin: not-affected (4:4.6.5.1-1)
hirsute_phpmyadmin: not-affected (4:4.6.5.1-1)
impish_phpmyadmin: not-affected (4:4.6.5.1-1)
jammy_phpmyadmin: not-affected (4:4.6.5.1-1)
devel_phpmyadmin: not-affected (4:4.6.5.1-1)