Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "fieldkey" parameter in browse_foreigners.php and input passed to the "PMA_sanitize()" function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 2.10.1. Reproducible: Always
maintainers - please provide a fix
The weaknesses are reported in versions prior to 2.4.34.3. Solution: Update to version 2.4.34.3.
(In reply to comment #2) > The weaknesses are reported in versions prior to 2.4.34.3. > > Solution: > Update to version 2.4.34.3. > This post doesnt belong here, i pasted it into the wrong tab, sorry
maintainers please advise.
*** Bug 177450 has been marked as a duplicate of this bug. ***
maintainers - please advise
maintainers - please provide an updated ebuild
maintainers - please bump the ebuild
*** Bug 179760 has been marked as a duplicate of this bug. ***
*** Bug 179914 has been marked as a duplicate of this bug. ***
2.10.1 is in the tree
Thx Renat. Arches please test and mark stable. Target keywords are: phpmyadmin-2.10.1.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd"
sparc stable.
ppc64 stable
Stable for HPPA.
stable on alpha
ppc stable
Stable for x86.
x86 _marked_ stable
Thanks everyone for the help. This one is ready for GLSA decision.
I vote YES.
voting YES too.
Just one thing before you finish voting: amd64 stable
i vote no but it's too late :/ XSS or information disclosure on a non-tipically internet-oriented web application, i always vote no. But as you want.
We only released a couple of XSS GLSAs for phpmyadmin and they both date back years. When voting I was thinking that some web hosts would probably give access to their customers.
(In reply to comment #25) > We only released a couple of XSS GLSAs for phpmyadmin and they both date back > years. When voting I was thinking that some web hosts would probably give > access to their customers. > If it's not a permanent XSS (i suppose it is not), the impact is very weak. An attacker would hardly manage to steal the administrator's credentials. The only realistic attack would be sending a crafted URL by mail or chat to an administrator, and ask him to click on it. That does not merit a GLSA imho.
If that is the case I don't believe one is necessary too.
OK so closing without GLSA, and fixing severity. Feel free to reopen if you disagree.