Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.MANDRIVA_MDVSA-2014-126.NASL
HistoryJul 09, 2014 - 12:00 a.m.

Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2014:126)

2014-07-0900:00:00
This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
16
JSON

Multiple vulnerabilities has been discovered and corrected in phpmyadmin :

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables (CVE-2014-4348).

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action (CVE-2014-4349).

This upgrade provides the latest phpmyadmin version (4.2.5) to address these vulnerabilities.

#%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2014:126. 
# The text itself is copyright (C) Mandriva S.A.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(76423);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2014-4348", "CVE-2014-4349");
  script_bugtraq_id(68201, 68205);
  script_xref(name:"MDVSA", value:"2014:126");

  script_name(english:"Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2014:126)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandriva Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities has been discovered and corrected in
phpmyadmin :

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
4.2.x before 4.2.4 allow remote authenticated users to inject
arbitrary web script or HTML via a crafted (1) database name or (2)
table name that is improperly handled after presence in (a) the
favorite list or (b) recent tables (CVE-2014-4348).

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote
authenticated users to inject arbitrary web script or HTML via a
crafted table name that is improperly handled after a (1) hide or (2)
unhide action (CVE-2014-4349).

This upgrade provides the latest phpmyadmin version (4.2.5) to address
these vulnerabilities."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://sourceforge.net/p/phpmyadmin/news/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected phpmyadmin package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:phpmyadmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK-MBS1", reference:"phpmyadmin-4.2.5-1.mbs1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
  else security_note(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
mandrivalinuxphpmyadminp-cpe:/a:mandriva:linux:phpmyadmin
mandrivabusiness_server1cpe:/o:mandriva:business_server:1

Related

freebsd 1
nessus 6
securityvulns 2
openvas 7
ubuntucve 2
debiancve 2
phpmyadmin 2
mageia 1
prion 2
cve 2
fedora 2
freebsd
freebsd
phpMyAdmin -- two XSS vulnerabilities due to unescaped db/table names
2014-06-20 00:00:00
nessus
nessus
FreeBSD : phpMyAdmin -- two XSS vulnerabilities due to unescaped db/table names (c4892644-f8c6-11e3-9f45-6805ca0b3d42)
2014-06-23 00:00:00
phpMyAdmin 4.1.x < 4.1.14.1 / 4.2.x < 4.2.4 Navigation Hiding Items Multiple XSS (PMASA-2014-3)
2014-06-27 00:00:00
phpMyAdmin 4.2.x < 4.2.4 Recent/Favorite Table Navigation Multiple XSS (PMASA-2014-2)
2014-06-27 00:00:00
securityvulns
securityvulns
[ MDVSA-2014:126 ] phpmyadmin
2014-10-14 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-10-14 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2014-0275)
2022-01-28 00:00:00
phpMyAdmin Multiple XSS Vulnerabilities (PMASA-2014-3) - Windows
2017-08-21 00:00:00
phpMyAdmin Multiple XSS Vulnerabilities (PMASA-2014-3) - Linux
2017-08-21 00:00:00
ubuntucve
ubuntucve
CVE-2014-4349
2014-06-25 00:00:00
CVE-2014-4348
2014-06-25 00:00:00
debiancve
debiancve
CVE-2014-4349
2014-06-25 11:19:00
CVE-2014-4348
2014-06-25 11:19:00
phpmyadmin
phpmyadmin
Self-XSS due to unescaped HTML output in navigation items hiding feature.
2014-06-20 00:00:00
Self-XSS due to unescaped HTML output in recent/favorite tables navigation.
2014-06-20 00:00:00
mageia
mageia
Updated phpmyadmin packages fix CVE-2014-4349
2014-06-27 19:03:09
prion
prion
Cross site scripting
2014-06-25 11:19:00
Cross site scripting
2014-06-25 11:19:00
cve
cve
CVE-2014-4349
2014-06-25 11:19:00
CVE-2014-4348
2014-06-25 11:19:00
fedora
fedora
[SECURITY] Fedora 20 Update: phpMyAdmin-4.2.6-1.fc20
2014-07-30 07:01:17
[SECURITY] Fedora 19 Update: phpMyAdmin-4.2.6-1.fc19
2014-07-30 07:02:40
JSON
Related for MANDRIVA_MDVSA-2014-126.NASL
freebsd1nessus6securityvulns2openvas7ubuntucve2debiancve2phpmyadmin2mageia1prion2cve2fedora2