Re: CVE Request: Self-XSS in phpmyadmin fixed in 3.5.8

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/09/2013 06:01 AM, Salvatore Bonaccorso wrote:
> Hi Kurt
>
> New phpMyAdmin release (3.5.8) contains the following changelog
> entry:
>
> 3.5.8.0 (2013-04-08) - bug #3828 MariaDB reported as MySQL - bug
> #3854 Incorrect header for Safari 6.0 - bug #3705 Attempt to open
> trigger for edit gives NULL - Use HTML5 DOCTYPE - [security]
> Self-XSS on GIS visualisation page, reported by Janek Vind - bug
> #3800 Incorrect keyhandler behaviour #2
>
> refering to a XSS vulnerability on the GIS visualisation page. [1]
> is the reference by Janek Vind, upstream commit afaics [2].
>
> [1]: http://seclists.org/fulldisclosure/2013/Apr/100 [2]:
> https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a
>
>  Could a CVE be assigned to this issue?
>
> Regards, Salvatore

Please use CVE-2013-1937 for this issue (perfect CVE request BTW,
thanks!).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRZE0SAAoJEBYNRVNeJnmTO5wQAKWUZnBtTi5F/xp0cakFX2rK
0NBhcT4NOAxJBdXcUDIAFHb2yfHLvYgTTjrIrSI10Rv+vEl594h51nzYaL427xVJ
RmKc0Na86bvBd/UxMxXidE1sHb+bqSNAAWEw4UKd/+WHVyTc6BlzPpsVuU+chRI6
rQ+Iq0+8YWNqXYsRtHnLTEjdZ0B2PiPZGwu+bNA1j30BbXEz/mb6uJWLhCouBJvK
7w2gan8YMOa7g7JWg+eF0HIdJ2xLHzDxHKN2mAYt6U/t4t0W0ewsTcc61YvoAqx7
5IWoMcMq7g897Qayg0gbWsVVEQkKbQVLxpkklhn2PW3elai7LeOXcc5ZEAOqut9h
Mhn0ZU4i9X1fIVFmKnbCERQ2aX5cCZKiWsm7k3TwrzlaevU9zK9hgM0dfZGeAc8E
kSImV4ATW2AiO0KLBUepEB+FK00x8IvXzvlviIdVaNebvy9BdHIB2Br146tkVPQ9
eycb8gQDP+1P6IpA9iBQRTmQ2pBqlNXpc3pO156yDrQXAgBL8AW0q23lrjXI7iU8
Zni4c5sPjZNqCZoDUYMyovDwOit5OZpxxFa9tNqSnfHFxQdVgjViwJQj9GEmsSdV
m2k/c+MQkEoyxUIFAzVOnpFtwmTpeHCfMrKZES1dVNn6kkfGW0frU2DbVJFuDvYH
ANAayFplBv1LGSw03HBC
=M3k7
-----END PGP SIGNATURE-----