PhpMyAdminPHPMYADMIN:PMASA-2009-6XSS and SQL injection vulnerabilities
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.9%
PMASA-2009-6
Announcement-ID: PMASA-2009-6
Date: 2009-10-13
Summary
XSS and SQL injection vulnerabilities
Description
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.
SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.
Severity
We consider these vulnerabilities to be serious.
Affected Versions
For 2.11.x: versions before 2.11.9.6 are affected.<br /> For 3.x: versions before 3.2.2.1 are affected.
Solution
Upgrade to phpMyAdmin 3.2.2.1 or 2.11.9.6.
References
We wish to thank Quintin Russ for informing us in a responsible manner.
Assigned CVE ids: CVE-2009-3696 CVE-2009-3697
CWE ids: CWE-661 CWE-79 CWE-89
Patches
The following commits have been made to fix this issue:
The following commits have been made on the 2.11 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.
| CPE | Name | Operator | Version |
|---|---|---|---|
| phpmyadmin | le | 3.2.2.1 | |
| phpmyadmin | le | 2.11.9.6 |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.9%