From PMASA-2010-9, CVE-2010-4480: http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php Summary Unvalidated input on error page. Description It was possible to display arbitrary text and link to external site using parameters passed to particular script. Severity This issue is considered minor, because the only purpose of affected file is to display an error message. Affected Versions Patch: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=aa6fec0532a9dd48d4e35831c1b1c9785c124dd7 From PMASA-2010-10, CVE-2010-4481: http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php Summary Possible information disclosure. Description Unauthenticated user was able to display phpinfo output if phpMyAdmin was enabled to show it. Patch: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=4d9fd005671b05c4d74615d5939ed45e4d019e4c
Will be fixed by update to 3.4.0. Stabilization via bug 354227.
Stabilization of a fixed package completed in bug 354227. GLSA Vote: No.
CVE-2010-4481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4481): phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. CVE-2010-4480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4480): error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]".
voting no too, and closing.
