From ${URL} : A cross-site scripting (XSS) flaw was found in the way phpMyAdmin, a tool to handle the administration of MySQL over the World Wide Web, sanitized certain input when displaying GIS visualization(s). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of the phpMyAdmin user's session. References: [1] http://seclists.org/fulldisclosure/2013/Apr/100 Relevant upstream patch: [2] https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a
Arches, please test and mark stable: =dev-db/phpmyadmin-3.5.8 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Stable for HPPA.
CVE-2013-1937 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1937): Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter.
amd64 stable
x86 stable
ppc stable
ppc64 stable
alpha stable
sparc stable
glsa with 467080, 478696, 479870
This issue was resolved and addressed in GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml by GLSA coordinator Sergey Popov (pinkbyte).
