Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2016-2559

CVE-2016-2559:
phpMyAdmin Cross-site scripting (XSS) vulnerability in SQL parser

5.4

CVSS Score

Basic Information

CVE ID
CVE-2016-2559
GHSA ID
GHSA-7rf8-9r8f-qf59
EPSS Score
-
CWE
CWE-79
Published
5/17/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 4.5, < 4.5.5.14.5.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of SQL query strings in error messages. The commit diff clearly shows the vulnerable line was passing $err[2] (user-controlled query input) directly to error formatting, while the patched version adds HTML escaping. This matches the CWE-79 XSS pattern where user input isn't neutralized before web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** *orm*t *un*tion in li*r*ri*s/sql-p*rs*r/sr*/Utils/*rror.p*p in t** SQL p*rs*r in p*pMy**min *.*.x ***or* *.*.*.* *llows r*mot* *ut**nti**t** us*rs to inj**t *r*itr*ry w** s*ript or *TML vi* * *r**t** qu

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* SQL qu*ry strin*s in *rror m*ss***s. T** *ommit *i** *l**rly s*ows t** vuln*r**l* lin* w*s p*ssin* $*rr[*] (us*r-*ontroll** qu*ry input) *ir**tly to *rror *orm*ttin*, w*il* t** p*t**** v*rsion ***s *TM