From ${URL} : Description Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion and SQL injection attacks. 1) Input passed via the "User", "Host", "db", and "Command" parameters related to the Status Monitor view is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. 2) Input passed via a link to an object is not properly sanitised before being used to display the contents of a table. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. Successful exploitation requires that the link transformation plugin is used. This vulnerability is reported in versions 4.0.x prior to 4.0.4.2. 3) Input passed via the "scale" POST parameter to pmd_pdf.php and via the "pdf_page_number" POST parameter to schema_export.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code with the privileges of the control user. The vulnerabilities #1 and #3 are reported in versions 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2. Solution: Update to version 3.5.8.2 or 4.0.4.2. Provided and/or discovered by: The vendor credits: 1) Emanuel Bronshtein 2) Dieter Adriaenssens 3) Noam Rathaus Original Advisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
In light of bug 479870, I'd say ignore 3.5.8.2 and just go to 4.0.5.
GLSA with 479870, 465420, 467080
CVE-2013-5003 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5003): Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to execute arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php. CVE-2013-5002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5002): Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. CVE-2013-5001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5001): Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link. CVE-2013-5000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5000): phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to config.default.php and other files. CVE-2013-4999 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4999): phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. CVE-2013-4998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4998): phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to pmd_common.php and other files. CVE-2013-4997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4997): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. CVE-2013-4996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4996): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted database name, (2) a crafted user name, (3) a crafted logo URL in the navigation panel, (4) a crafted entry in a certain proxy list, or (5) crafted content in a version.json file. CVE-2013-4995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4995): Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information.
This issue was resolved and addressed in GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml by GLSA coordinator Sergey Popov (pinkbyte).