Name - CVE-2006-2031 (under review) Status - Candidate Description - Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter. References * MISC:http://pridels.blogspot.com/2006/04/phpmyadmin-xss-vuln.html * SECUNIA:19659 * URL:http://secunia.com/advisories/19659 --- Announcement-ID: PMASA-2006-2 Date: 2006-05-12 Summary: XSS vulnerabilities Description: 1. It was possible to conduct an XSS attack with a crafted lang or theme parameter. 2. The db parameter was also vulnerable to an XSS attack. Severity: We consider these vulnerabilities to be serious. Affected versions: [1] All 2.8.0.x releases before 2.8.0.4 are affected, previous versions are not. [2] Some releases before 2.8.0.4 are affected (2.6.2 tested vulnerable). Solution: Upgrade to phpMyAdmin 2.8.0.4. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2031 [2] We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://www.disenchant.ch. For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
web-apps, please provide fixed ebuilds, thanks
In CVS
arches, please test and stable 2.0.8.4, thanks in advance.
x86 done
SPARC me amadeus
alpha and amd64 stable.
ppc stable
stable on hppa
Ready for GSLA vote, I tend to vote no but we did issue GLSAs for worse in the past.
Sure we did issue GLSAs in the past for worse things than XSS issues ;-) I tend to vote no too.
XSS issue on a web-app, most of the time non-typically internet-oriented. I vote No.
no++; closing, feel free to reopen in case you disagree.