CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
69.3%
Announcement-ID: PMASA-2011-16
Date: 2011-10-17
XSS in setup.
Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory.
We consider this vulnerability to be non critical.
The documentation warns against leaving this directory writeable; also a warning appears on the home page. Also, this XSS would target only the users who visit /setup.
Versions 3.4.x are affected.
Upgrade to phpMyAdmin 3.4.6 or newer or apply the related patch listed below.
Thanks to Jakub Gałczyk (<http://hauntit.blogspot.com>) for reporting this issue.
Assigned CVE ids: CVE-2011-4064
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.