CVE-2016-6614

MEDIUM6.8EPSS 1.1%

Published: 12/11/2016Modified: 5/7/2026

Description

An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

Affected packages (2)

Alpine/phpmyadminfrom 0, < 4.4.15.8-r0
Debian/phpmyadminfrom 0, < 4:4.6.4+dfsg1-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2016-6614
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-6614