oss-sec mailing list archives
Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)
From: Josh Bressers <bressers () redhat com>
Date: Fri, 30 Sep 2011 13:43:00 -0400 (EDT)
Sorry this took so long, it's been a wild couple of weeks. ----- Original Message -----
Hello Josh, Steve, vendors, multiple XSS flaws have been recently reported in the v3.4.4 (and earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14): [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php 1) An XSS flaw was found in the way phpMyAdmin processed row content, containing JavaScript code, after its inline editing and saving,
Use CVE-2011-3591
2) It was found that phpMyAdmin did not properly sanitize the content of db, table, and column names prior use of their values.
Use CVE-2011-3592
A remote attacker could use these flaws to conduct XSS attacks (execute arbitrary HTML or web script) by tricking authenticated phpMyAdmin user into visiting of a specially-crafted URL. References: [2] http://secunia.com/advisories/45991/ [3] https://bugzilla.redhat.com/show_bug.cgi?id=738681
Thanks. -- JB
Current thread:
- CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14) Jan Lieskovsky (Sep 15)
- Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14) Steven M. Christey (Sep 15)
- Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14) Josh Bressers (Sep 30)