Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 514894 (CVE-2014-4348) - <dev-db/phpmyadmin-{4.1.14.2,4.2.7}: XSS (CVE-2014-{4348,4349})
Summary: <dev-db/phpmyadmin-{4.1.14.2,4.2.7}: XSS (CVE-2014-{4348,4349})
Status: RESOLVED FIXED
Alias: CVE-2014-4348
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2014-5273
Blocks:
  Show dependency tree
 
Reported: 2014-06-24 11:04 UTC by Hanno Böck
Modified: 2014-12-29 05:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-06-24 11:04:15 UTC
Two XSS issues have been found in phpmyadmin, one only affects the 4.2-versions (CVE-2014-4348, PMASA-2014-2), the other also affects older 4.1-versions (CVE-2014-4349, PMASA-2014-3).

See upstream advisories:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php

Fixes in versions 4.1.14.1 and 4.2.4.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-06-27 21:57:28 UTC
CVE-2014-4349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4349):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x
  before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to
  inject arbitrary web script or HTML via a crafted table name that is
  improperly handled after a (1) hide or (2) unhide action.

CVE-2014-4348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4348):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x
  before 4.2.4 allow remote authenticated users to inject arbitrary web script
  or HTML via a crafted (1) database name or (2) table name that is improperly
  handled after presence in (a) the favorite list or (b) recent tables.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-08-14 12:40:38 UTC
12:34 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Bump to versions 4.0.10.1, 4.1.14.2 and 4.2.7. Fixes bug 514894, 517858 and 519342.

4.1.14.2 and 4.2.7 are now in the tree.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-08-15 23:50:10 UTC
Stabilization is happening as part of bug 517858
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 14:50:30 UTC
A new vulnerability has been found, and the new versions come with this. No Stabilization needs to happen as part of this bug, moving it to Bug 520142, and setting it as blocker.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 05:54:20 UTC
Vulnerable Versions not in Tree anymore.

Closing no GLSA for Cross Site Scripting