Comment # 3 on bug 994313 from 
https://www.phpmyadmin.net/security/PMASA-2016-54/

PMASA-2016-54

Announcement-ID: PMASA-2016-54

Date: 2016-07-25
Summary

Remote code execution vulnerability when run as CGI
Description

A vulnerability was discovered where a user can execute a remote code execution
attack against a server when phpMyAdmin is being run as a CGI application.
Under certain server configurations, a user can pass a query string which is
executed as a command-line argument by the file generator_plugin.sh.
Severity

We consider this vulnerability to be critical.
Mitigation factor

The file `/libraries/plugins/transformations/generator_plugin.sh` may be
removed. Under certain server configurations, it may be sufficient to remove
execute permissions for this file.
Affected Versions

All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and
4.0.x versions (prior to 4.0.10.17) are affected
Solution

Upgrade to phpMyAdmin 4.6.4, 4.4.15.8, 4.0.10.17, or newer, or apply patch
listed below.
References

Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.

Assigned CVE ids: CVE-2016-6631

CWE ids: CWE-661
Patches

The following commits have been made on the 4.0 branch to fix this issue:

    47d00af

The following commits have been made on the 4.4 branch to fix this issue:

    0a3c6d3

The following commits have been made on the 4.6 branch to fix this issue:

    77a4d6e

You are receiving this mail because: