Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)
From: Josh Bressers <bressers () redhat com>
Date: Fri, 30 Sep 2011 13:43:00 -0400 (EDT)

Sorry this took so long, it's been a wild couple of weeks.

----- Original Message -----
Hello Josh, Steve, vendors,

   multiple XSS flaws have been recently reported in the v3.4.4 (and
   earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14):

[1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php

1) An XSS flaw was found in the way phpMyAdmin processed row content,
containing JavaScript code, after its inline editing and saving,

Use CVE-2011-3591


2) It was found that phpMyAdmin did not properly sanitize the content of
db, table, and column names prior use of their values.

Use CVE-2011-3592


A remote attacker could use these flaws to conduct XSS attacks (execute
arbitrary HTML or web script) by tricking authenticated phpMyAdmin user
into visiting of a specially-crafted URL.

References:
[2] http://secunia.com/advisories/45991/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=738681

Thanks.

-- 
    JB


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]