Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)

["Steven M. Christey" <coley () rcf-smtp mitre org>]

Josh,

This actually requires two different CVEs because there are different 
researchers for each one.

- Steve








On Thu, 15 Sep 2011, Jan Lieskovsky wrote:

> Hello Josh, Steve, vendors,
>
>  multiple XSS flaws have been recently reported in the v3.4.4
> (and earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14):
>
> [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php
>
> 1) An XSS flaw was found in the way phpMyAdmin processed row content,
>   containing JavaScript code, after its inline editing and saving,
>
> 2) It was found that phpMyAdmin did not properly sanitize the content
>   of db, table, and column names prior use of their values.
>
> A remote attacker could use these flaws to conduct XSS attacks (execute
> arbitrary HTML or web script) by tricking authenticated phpMyAdmin user into 
> visiting of a specially-crafted URL.
>
> References:
> [2] http://secunia.com/advisories/45991/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=738681
>
> Could you allocate a CVE id for these?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team