CVE-2016-5706: phpMyAdmin Denial Of Service (DOS) attack
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85851%
CWE
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpmyadmin/phpmyadmin | composer | >= 4.0, < 4.0.10.16 | 4.0.10.16 |
phpmyadmin/phpmyadmin | composer | >= 4.4, < 4.4.15.7 | 4.4.15.7 |
phpmyadmin/phpmyadmin | composer | >= 4.6, < 4.6.3 | 4.6.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from processing an unbounded array parameter in js/get_scripts.js.php. The patch adds array_slice(...,0,10) to limit iterations, indicating the original code lacked this restriction. The foreach loop over $_GET['scripts'] directly consumes user-controlled input without validation, enabling DoS via resource exhaustion (CWE-400). The file path and vulnerable pattern are explicitly shown in the commit diff and advisory descriptions.