CVE-2016-5730: phpMyAdmin full path disclosure vulnerability
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78932%
CWE
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpmyadmin/phpmyadmin | composer | >= 4.0, < 4.0.10.16 | 4.0.10.16 |
phpmyadmin/phpmyadmin | composer | >= 4.4, < 4.4.15.7 | 4.4.15.7 |
phpmyadmin/phpmyadmin | composer | >= 4.6, < 4.6.3 | 4.6.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper error handling and input validation across multiple components. The patches explicitly address: 1) Type checks in openid.php
, 2) Missing config.php
directory handling, 3) Array parameter processing in FormDisplay
(libraries/config/FormDisplay.php), 4) Input validation gaps in Validator
class (libraries/config/Validator.php), and 5) Unsanitized error messages in validate.php
. Each vulnerable function allowed unhandled exceptions/errors to leak full path information when receiving malformed inputs, as confirmed by the commit diffs and CVE description.