TYPO3-EXT-SA-2016-025: Multiple vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

It has been discovered that the extension "phpMyAdmin" (phpmyadmin) has multiple vulnerabilities.

Release Date: September 29, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 5.1.6 and below

Vulnerability Type: Multiple vulnerabilities

Severity: High

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:P/E:ND/RL:O/RC:C (What's that?)

References: PMASA-2016-17, PMASA-2016-19, PMASA-2016-21, PMASA-2016-22, PMASA-2016-23, PMASA-2016-26, PMASA-2016-27, PMASA-2016-28, PMASA-2016-29, PMASA-2016-30, PMASA-2016-32, PMASA-2016-33, PMASA-2016-34, PMASA-2016-35, PMASA-2016-36, PMASA-2016-37, PMASA-2016-38, PMASA-2016-39, PMASA-2016-41, PMASA-2016-42, PMASA-2016-43, PMASA-2016-45, PMASA-2016-46, PMASA-2016-47, PMASA-2016-48, PMASA-2016-49, PMASA-2016-50, PMASA-2016-51, PMASA-2016-52, PMASA-2016-53, PMASA-2016-54, PMASA-2016-55, PMASA-2016-56

Problem Description: Multiple vulnerabilities have been found in the phpMyAdmin component. Please see https://www.phpmyadmin.net/security/ for more information.

Solution: An updated version 5.1.7 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/phpmyadmin/5.1.7/t3x/. Users of the extension are advised to update the extension as soon as possible.

Note: In general the TYPO3 Security Team recommends to not use any extension that bundles database or file management tools on production TYPO3 websites.

Credits: Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.