Vulnerability Description
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoraproject | Fedora | 20 |
| Phpmyadmin | Phpmyadmin | 4.0.0 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151331.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151914.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151931.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html
- http://www.debian.org/security/2015/dsa-3382
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:186Broken Link
- http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.phpVendor Advisory
- http://www.securityfocus.com/bid/72949
- http://www.securitytracker.com/id/1031871Third Party AdvisoryVDB Entry
- https://github.com/phpmyadmin/phpmyadmin/commit/b2f1e895038a5700bf8e81fb9a5da36c
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151331.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151914.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151931.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html
- http://www.debian.org/security/2015/dsa-3382
FAQ
What is CVE-2015-2206?
CVE-2015-2206 is a vulnerability with a CVSS score of 5.0 (MEDIUM). libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a ...
How severe is CVE-2015-2206?
CVE-2015-2206 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2206?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Phpmyadmin Phpmyadmin.