| Summary: | <dev-db/phpmyadmin-{4.4.15.2,4.5.3.1}: Content spoofing vulnerability when redirecting user to an external site | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | jmbsvicetto, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.phpmyadmin.net/security/PMASA-2015-5/ | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 569800 | ||
| Bug Blocks: | |||
22:12 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) [dev-db/phpmyadmin] Version bump to address PMASA-2015-5 - fixes bug 564238. Drop vulnerable version. 22:12 < willikins> gentoovcs: https://bugs.gentoo.org/564238 "dev-db/phpmyadmin: Content spoofing vulnerability when redirecting user to an external site"; Gentoo Security, Vulnerabilities; IN_P; ago:security Package bumped. Thank you all for you work. Closing as [noglsa]. |
From ${URL} : PMASA-2015-5 Announcement-ID: PMASA-2015-5 Date: 2015-10-23 Summary Content spoofing vulnerability when redirecting user to an external site Description This vulnerability allows an attacker to perform a content spoofing attack using the phpMyAdmin's redirection mechanism to external sites. Severity We consider this vulnerability to be non critical since the spoofed content is escaped and no HTML injection is possible. Affected Versions Versions 4.4.x (prior to 4.4.15.1) and 4.5.x (prior to 4.5.1) are affected. Solution Upgrade to phpMyAdmin 4.4.15.1 or newer, or 4.5.1 or newer or apply patch listed below. References Thanks to Lalith Rallabhandi for reporting this vulnerability. Assigned CVE ids: 2015-7873 CWE ids: CWE-661 CWE-20 Patches The following commits have been made on the 4.4 branch to fix this issue: 2b31866fe0b30b867aaf5b5fedb11adb354e037f The following commits have been made on the 4.5 branch to fix this issue: cd097656758f981f80fb9029c7d6b4294582b706 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.