From ${URL} : The upstream phpMyAdmin PMASA-2014-10 advisory fixes the following issue: "" By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature. ... Versions 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4) and 4.2.x (prior to 4.2.8.1) are affected. "" @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
CVE-2014-6300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6300): Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js.
no GLSA for Cross Site Scripting Setting cleanup dependency on bug 530054 to cleanup version: 4.1.14.3
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions. Old version cleaned.
(In reply to Jorge Manuel B. S. Vicetto from comment #3) > 15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump > phpmyadmin to the latest releases and add 4.4.0_beta1. Address > CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug > 542218. Drop old vulnerable versions. > > Old version cleaned. Thanks
Re-opening for GLSA together with bug 530054
This issue was resolved and addressed in GLSA 201505-03 at https://security.gentoo.org/glsa/201505-03 by GLSA coordinator Kristian Fiskerstrand (K_F).
