Lucene search

PhpMyAdminPHPMYADMIN:PMASA-2006-2

HistoryMay 12, 2006 - 12:00 a.m.

XSS vulnerabilities

2006-05-1200:00:00

www.phpmyadmin.net

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

68.9%

JSON

PMASA-2006-2

Announcement-ID: PMASA-2006-2

Date: 2006-05-12

Summary

XSS vulnerabilities

Description

1. It was possible to conduct an XSS attack with a crafted lang or theme parameter.
2. The db parameter was also vulnerable to an XSS attack.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

[1] All 2.8.0.x releases before 2.8.0.4 are affected, previous versions are not.<br /> [2] Some releases before 2.8.0.4 are affected (2.6.2 tested vulnerable).

Solution

Upgrade to phpMyAdmin 2.8.0.4.

References

We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is <http://www.disenchant.ch>.

Assigned CVE ids: CVE-2006-2031

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

79f778db99ac05e2028166d5a61ed25591e348c3

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

EPSS

0.003

Percentile

68.9%

JSON

Related for PHPMYADMIN:PMASA-2006-2