FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpMyAdmin -- XSS vulnerabilities

Affected packages
4.2.0 <= phpMyAdmin < 4.2.7.1

Details

VuXML ID fbb01289-2645-11e4-bc44-6805ca0b3d42
Discovery 2014-08-17
Entry 2014-08-17

The phpMyAdmin development team reports:

Multiple XSS vulnerabilities in browse table, ENUM editor, monitor, query charts and table relations pages.

With a crafted database, table or a primary/unique key column name it is possible to trigger an XSS when dropping a row from the table. With a crafted column name it is possible to trigger an XSS in the ENUM editor dialog. With a crafted variable name or a crafted value for unit field it is possible to trigger a self-XSS when adding a new chart in the monitor page. With a crafted value for x-axis label it is possible to trigger a self-XSS in the query chart page. With a crafted relation name it is possible to trigger an XSS in table relations page.

XSS in view operations page.

With a crafted view name it is possible to trigger an XSS when dropping the view in view operation page.

References

CVE Name CVE-2014-5273
CVE Name CVE-2014-5274
URL http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2014-9.php