Summary: | dev-db/phpmyadmin: XSS flaw possibly leading to root account creation (PMASA-2014-10) (CVE-2014-6300) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | a3li, jmbsvicetto, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1141635 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 530054 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-09-15 08:11:15 UTC
CVE-2014-6300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6300): Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. no GLSA for Cross Site Scripting Setting cleanup dependency on bug 530054 to cleanup version: 4.1.14.3 15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions. Old version cleaned. (In reply to Jorge Manuel B. S. Vicetto from comment #3) > 15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump > phpmyadmin to the latest releases and add 4.4.0_beta1. Address > CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug > 542218. Drop old vulnerable versions. > > Old version cleaned. Thanks Re-opening for GLSA together with bug 530054 This issue was resolved and addressed in GLSA 201505-03 at https://security.gentoo.org/glsa/201505-03 by GLSA coordinator Kristian Fiskerstrand (K_F). |