PMASA-2016-52 Announcement-ID: PMASA-2016-52 Date: 2016-07-25 Summary ArbitraryServerRegexp bypass Description A vulnerability was reported with the configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. Severity Critical Mitigation Factor Only servers using are vulnerable to this attack. Affected Versions All 4.6.x versions (prior to 4.6.4) 4.4.x versions (prior to 4.4.15.8) 4.0.x versions (prior to 4.0.10.17) Solution Upgrade to phpMyAdmin 4.6.4, 4.4.15.8, 4.0.10.17, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein [@e3amn2] for reporting this vulnerability. Assigned CVE ids: CVE-2016-6629 CWE ids: CWE-661 Patches Commits: On the 4.6 branch: a97be3a On the 4.4 branch: cd682a6 On the 4.0 branch: 95b7b7d More Information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.